Vulnerability Management

Vulnerability management is a continuous lifecycle process that goes beyond simple vulnerability scanning. It encompasses asset discovery and inventory, regular vulnerability scanning and assessment, risk-based prioritization of findings, remediation through patching or compensating controls, verification of remediation effectiveness, and reporting and metrics tracking.

DORA requires financial entities to include vulnerability management in their ICT risk management framework. This includes maintaining awareness of current threats and vulnerabilities, promptly applying security patches, and conducting regular security assessments. DORA also emphasizes the importance of monitoring vulnerabilities in third-party systems and services.

Best practices include maintaining a complete asset inventory, conducting scans at least weekly for critical systems, using CVSS scores combined with business context for prioritization, establishing SLAs for remediation (e.g., critical: 48 hours, high: 7 days, medium: 30 days), and tracking metrics such as mean time to remediate and vulnerability density.