In light of the increasing volume and sophistication of cyber threats, the Bank

Policy Institute's (BPI) technology policy division, BITS, developed the

Vulnerability Management Maturity Model (VMMM) assessment tool on behalf
of its members, to help institutions determine their Vulnerability Management
(VM) Program maturity.
The assessment provides institutions with a repeatable and measurable process
to inform management of their institution’s risks and cybersecurity preparedness
with regard to Vulnerability Management.

Assessment Structure

The model identifies four primary Processes typical to the Vulnerability Management lifecycle:
Identification, Analysis, Response and Reporting.

These four main Processes are further broken down into 13 Sub Processes. Within the maturity
model, there is a Definition statement for each Sub Process, as well as corresponding Maturity
Level descriptions, which define the Vulnerability Management program in stages of increasing
development: Maturity Level 1 being the least mature, and Maturity Level 5 being the most
mature.

To complete the assessment, management evaluates their institution’s Vulnerability

Management Maturity Level from 1 through 5 for each of the 13 subprocesses using the
descriptive statements for each Sub Process and Maturity Level.
Purpose and Intent

The model is designed for financial institutions, financial services companies and financial firms,
and should scale across institutions of varying complexity, interconnectedness, and criticality.
While each Sub Process may not apply to every institution, each organization should determine
how the assessment model best fits with their methodology and culture.
Once complete, the model should indicate where an organization's Vulnerability Management
program maturity lies. The assessment will not provide a formal recommended implementation
path; however, based on the gaps identified, institutions can make specific plans to reach their
desired level of maturity.

The model is designed to be an iterative tool; organizations should determine a timeframe for
achieving a next level maturity, then re-evaluate their current state on a periodic basis.

Maturity Model Components

The components represented in columns A-I on Tab 2 of this workbook consist of the core model
components, namely:
·         Processes;
·         SubProcesses;
·         Definitions;
·         Maturity Levels

Processes - These are the primary steps within a typical vulnerability management program.
- Identification: How an organization determines what constitutes a vulnerability within their
organization.
- Analysis: How an organization determines whether to address an identified vulnerability within
their organization.
- Response: How an organization determines the responsible party and method to address an
identified vulnerability within their organization.
- Reporting: How an organization manages the communication of the status of vulnerabilities
within their organization.

Sub Processes - These are the secondary steps within each process for a typical vulnerability
management program. Each sub process is defined within the Model.

Maturity Levels - These are levels that measure the evolution of a typical vulnerability
management program. Each maturity level is defined within the Model.
Maturity Model Usage
Using the Tool tab, organizations select the Maturity Level statement that most closely aligns
with their organization's current state using the drop downs in Column D.
Next, organizations select the Maturity Level statement that most closely aligns with their
organization's desired state using the drop downs in Column F. Desired State can be dictated by
risk appetite, cost/benefit analyses, and other appropriate means.

The Tool will result in a Sub Process Gap number, and a Process level gap number, so that
participants can determine actions to take as necessary, to reduce the gap between their current
state and their desired state of maturity.

Governance Process for Changes

BPI BITS development stakeholders recognize that future maintenance of the model is essential
for its ultimate success, and as such, BITS is tasked with maintaining and evolving the model.
BITS recognizes that users may suggest potential enhancements and new vulnerability
management concepts between model versions. As these recommendations surface, BITS will
evaluate their applicability to a vulnerability management program and the feasibility of
incorporation into the model’s next version.

Points of Contact
To Learn More: In the event that organizations have questions that are not answered within the
FAQ tab, or to learn more about the model initiative, participating in future model iterations, or
BPI BITS, please feel free to contact Andrew Kennedy (Andrew.Kennedy@BPI.com) of the Bank
Policy Institute.
 Process Sub Process Definition

Discovery of intelligence initiating the

Intelligence
vulnerability management process.

The scope of targets to be included in the

Scoping
vulnerability management program.

A method for detecting vulnerabilities in

Identification Detection a standard and repeatable manner on in-
scope targets.

Ensure results are complete and accurate

Validation prior to engaging with additional
processes.

Publish identified vulnerabilities in a

Tracking
consumable manner.
ntified vulnerabilities through a vulnerability management lifecycle.

Severity Level A method for determining the severity of

identified vulnerabilities taking into
Determination
account existing control environment.

Analysis
Monitoring / Governance

A method for determining the

Exposure Determination organizational exposure of identified
vulnerabilities.

[-Internal-]
 Monitoring / Gov
A process for the tracking of identified vulnerabilities t
A method for response effort
Prioritization
prioritization.

Assignment Identification of responsible party.

Response
A method of addressing each
Treatment vulnerability through remediation or risk
deferral.

Escalation A process used to raise awareness

against stalled response actions.

Communication of severity associated

Communication with vulnerabilities to internal
Reporting stakeholders.

A method for ending the tracking of an

Close Out identified vulnerability upon validation of
remediation.

[-Internal-]
 Maturity Level 1 Maturity Level 2

Informal identification of vulnerabilities A manual process for intelligence

is performed. discovery is used on an ad hoc basis.

Scope of targets is determined solely by

Scope of targets is unknown or limited.
regulations. (example: PCI)

Targets are scanned ad-hoc for Targets are scanned in a scheduled

vulnerabilities as time permits. manner for some target types.

A manual process for validation of

Ad hoc validation is performed on some identified vulnerabilities is established
identified vulnerabilities.
and enacted on an ad hoc basis.

Vulnerability data can be requested from

Vulnerability data may be available ad
the scanning source but may not be
hoc or within the scanning source.
available or easily consumable.

Severity ratings are based on "out of the Severity ratings also include analysis of
box" data provided by scanning other available fields such as whether or
technology or indicated in reports. not exploits are available.

Significant gaps in system inventory with

Little or no ability to discover, reach and
limited tools to reach and check all
check all internal/external systems for
internal/external systems for
weaknesses and vulnerabilities exposure
weaknesses and vulnerability exposures
with many high-risk blind-spots.
including some high risk blind-spots.

[-Internal-]
An ad hoc process is in place to prioritize A repeatable process is in place to
needs for weakness and vulnerability prioritize needs for weakness and
remediation. vulnerability remediation.

Few responsible parties are known or are Most responsible parties are known and
not documented are documented.

No effective method exists to address A repeatable method is in place to

weaknesses and vulnerabilities. address weaknesses and vulnerabilities.

No effective method is in place to A repeatable method is in place to

escalate non-compliance issues to the escalate non-compliance issues to the
management of responsible parties. management of responsible parties.

No effective method is in place to A repeatable method is in place to

communicate the severity of weaknesses communicate the severity of weaknesses
and vulnerabilities to internal and vulnerabilities to internal
stakeholders. stakeholders.

No effective method is in place to A repeatable method is in place to

conclude weakness and vulnerability conclude weakness and vulnerability
remediation efforts. remediation efforts.

[-Internal-]
 Maturity Level 3 Maturity Level 4

A documented process for threat An automated threat intelligence feed is

identification is executed on a standard integrated into the VM process real-
periodic basis. time.

Scope of targets is determined by the Scope of targets is identified through

VM team. discovery.

Target scanning requirements are

Target scanning requirements and
defined organization-wide and standard
methods are defined for all target-types.
scanning techniques are made available.

A documented process for periodic Validation is performed upon publication

vulnerability validation is established and of vulnerabilities and identified
operational. discrepancies are removed from results.

Vulnerability data is aggregated into a

Vulnerability data is manually aggregated
central repository and readily available
in a single source location.
for user consumption.

Severity ratings include correlation with Threat intelligence or other available

the affected target for it's business data, which may require additional
criticality in addition to the severity products or services, is leveraged to
designation. severity rate vulnerabilities.

A high degree of organization-wide

Some system inventory gaps with ability
to reach and check all critical
internal/external systems for
weaknesses and vulnerability exposures
with a few high risk blind-spots.
system inventory visibility with
maintained tools which reach most
internal/external systems to check for
weaknesses and vulnerability exposures
with some low/moderate risk blind-
spots.

[-Internal-]
A stable process is in place to prioritize
needs for weakness and vulnerability
remediation.
All responsible parties are identified,
documented.
A process is in place to address
weaknesses and vulnerabilities, including
the ability to effectively and track status
results.
A method is in place to escalate non-
compliance issues, including keeping a
current list of the management of
responsible parties.
A method is in place to communicate the
severity of weaknesses and
vulnerabilities, including keeping a
current list of internal stakeholders.
A method is in place to conclude
weakness and vulnerability remediation,
as well as, tracking efforts.
A stable and well monitored process is in
place to prioritize needs for weakness
and vulnerability remediation.
All responsible parties are identified,
documented, are frequently monitored
and updated.
A process is in place to address
weaknesses/ vulnerabilities, the ability to
effectively track status results, along with
an effective risk deferral process.
A method is in place to escalate non-
compliance issues to the management of
responsible parties, including metrics,
aging of past due compliance issues and
reporting to executive management.
A method is in place to communicate the
severity of weaknesses and
vulnerabilities, including timely
notifications to internal and 3rd/4th
party stakeholders.
A method is in place to conclude
weakness and vulnerability remediation
and tracking, as well as, performing
validation of completion by an internal
independent risk group (2nd Line).
[-Internal-]
 Maturity Level 5

A threat intelligence feed is integrated

real-time and leverages organizational
input for contextualization.

A complete and accurate repository of

targets is leveraged to provide up-to-
date target scope.

Target scanning is performed real-time /

continuously for all target-types.

Automated validation is performed prior

to presentation to target owners and a
feedback workflow is in place for
additional scrutiny.

Vulnerability data is available in a central

repository can be customized /
manipulated for ease of consumption.

Organization-specific threat intelligence,

or other environmental information, is
leveraged. This information may require
human analysis or more extensive
customization.

Full organization-wide system inventory

visibility with well maintained/
comprehensive tools which reach and
check all internal/external systems for
security weaknesses and vulnerability
exposures with no blind-spots.

[-Internal-]
A superior process is in place to prioritize
needs for weakness and vulnerability
remediation activities, including
automated process integration.

Responsible parties are identified,

documented and are part of an
automated process which is frequently
monitored and updated.

A highly automated process is in place to

address weaknesses/ vulnerabilities, with
the ability to effectively track status
results, along with an effective risk
deferral process.

A automated method is in place to

escalate non-compliance issues to the
management of responsible parties,
including metrics, aging of past due
compliance issues and reporting to
executive management.

A automated method is in place to

communicate the severity of weaknesses
and vulnerabilities, including timely
notifications to internal and 3rd Party
stakeholders.

An highly automated method is in place

to conclude weakness and vulnerability
remediation and tracking, as well as,
performing validation of completion by
an internal independent risk group (2nd
Line).

[-Internal-]
 Current State
Process Sub Process Sub Process Definition Maturity Level
(Select a Level)

Discovery of intelligence initiating the

Intelligence 1
vulnerability management process.

The scope of targets to be included in

Scoping the vulnerability management 1
program.

A method for detecting vulnerabilities

Detection in a standard and repeatable manner 1
Identification on in-scope targets.

Ensure results are complete and

Validation accurate prior to engaging with 1
additional processes.

Publish identified vulnerabilities in a

Tracking consumable manner. 1

A method for determining the severity

Severity Level
of identified vulnerabilities taking into 1
Determination
account existing control environment.

A method for determining the

Exposure Determination organizational exposure of identified 1
Analysis vulnerabilities.
Analysis

A method for response effort

Prioritization 1
prioritization.

Assignment Identification of responsible party. 1

Response

A method of addressing each

Treatment vulnerability through remediation or 1
risk deferral.

A process used to raise awareness

Escalation 1
against stalled response actions.

Communication of severity associated

Reporting Communication with vulnerabilities to internal 1
stakeholders.

A method for ending the tracking of

Close Out an identified vulnerability upon 1
validation of remediation.

Current State Description
Informal identification of
vulnerabilities is performed.
Scope of targets is unknown or
limited.
Targets are scanned ad-hoc for
vulnerabilities as time permits.
Ad hoc validation is performed on
some identified vulnerabilities.
Vulnerability data can be requested
from the scanning source but may not
be available or easily consumable.
Severity ratings are based on "out of
the box" data provided by scanning
technology or indicated in reports.
Little or no ability to discover, reach
and check all internal/external
systems for weaknesses and
vulnerabilities exposure with many
high-risk blind-spots.
Desired State
Maturity Level Desired State Description
(Select a Level)
A manual process for intelligence
2
discovery is used on an ad hoc basis.
Scope of targets is determined solely
2
by regulations. (example: PCI)
Targets are scanned in a scheduled
2
manner for some target types.
A manual process for validation of
2 identified vulnerabilities is established
and enacted on an ad hoc basis.
Vulnerability data may be available ad
2 hoc or within the scanning source.
Severity ratings also include analysis
2 of other available fields such as
whether or not exploits are available.
Significant gaps in system inventory
with limited tools to reach and check
all internal/external systems for
2
weaknesses and vulnerability
exposures including some high risk
blind-spots.
An ad hoc process is in place to A repeatable process is in place to
prioritize needs for weakness and 2 prioritize needs for weakness and
vulnerability remediation. vulnerability remediation.

Few responsible parties are known or Most responsible parties are known
2
are not documented and are documented.

A repeatable method is in place to

No effective method exists to address
2 address weaknesses and
weaknesses and vulnerabilities.
vulnerabilities.

No effective method is in place to A repeatable method is in place to

escalate non-compliance issues to the 2 escalate non-compliance issues to the
management of responsible parties. management of responsible parties.

No effective method is in place to A repeatable method is in place to

communicate the severity of 2 communicate the severity of
weaknesses and vulnerabilities to weaknesses and vulnerabilities to
internal stakeholders. internal stakeholders.

No effective method is in place to A repeatable method is in place to

conclude weakness and vulnerability 2 conclude weakness and vulnerability
remediation efforts. remediation efforts.
Process Sub Process
Gap Gap

1
1

1
1
1

1 1

1
Frequently Asked Questions
1

7
Frequently Asked Questions
Is completing the Vulnerability Management Maturity Model required?

A) The Vulnerability Management Maturity Model (VMMM) is a completely voluntary tool for organizations to use t
own internal self-assessment of how mature is their VM program.

What is the recommended frequency for entities to complete their maturity model assessment?

A) Organizations can determine the frequency with which they complete the maturity model; it can be driven when
processes or technology changes occur that impact their VM program.

What if my organization falls in between maturity levels, do we default to the lower level, or assign a halfway poi
A) The Tool will enforce selection of Maturity Level as 1, 2, 3, 4, or 5. If you believe your program falls between two
Levels, consider selecting the lower maturity, knowing that the resultant gap may not be as large as it calculates to b

Must we accompany the model responses with supporting documentation?

A) There is no requirement to provide documentation to support the selection of Maturity Level; it may, however, b
communicating results to Sr Leaders in the event they request evidence for determining the Maturity Level.

Is N/A an option for response? What if my organization does not perform a specified step?

A) BITS realizes that not all organizations will align exactly with the process and sub-process steps identified. The M
way for institutions to evaluate an approximate level of maturity, in order to assess steps to take in order to evolve
vulnerability management program.

Is the BITS Vulnerability Management Maturity Model (VMMM) based on a specific authoritative source?

A) While the VMMM is not mapped to a specific framework, BITS has tailored the model to address the scope of cap
authoritative sources (NIST CSF, COBIT 5) indicate organizations should have within a vulnerability management pro
represents the consensus of the vulnerability management leaders of the member banks.

Which part of the model would address the aging of open vulnerabilities?

A) Old, open vulnerabilities could be addressed in several areas of the maturity model, including Tracking, Treatmen