Professional Documents
Culture Documents
BITS Vulnerability Management Maturity Model
BITS Vulnerability Management Maturity Model
Assessment Structure
The model identifies four primary Processes typical to the Vulnerability Management lifecycle:
Identification, Analysis, Response and Reporting.
These four main Processes are further broken down into 13 Sub Processes. Within the maturity
model, there is a Definition statement for each Sub Process, as well as corresponding Maturity
Level descriptions, which define the Vulnerability Management program in stages of increasing
development: Maturity Level 1 being the least mature, and Maturity Level 5 being the most
mature.
The model is designed for financial institutions, financial services companies and financial firms,
and should scale across institutions of varying complexity, interconnectedness, and criticality.
While each Sub Process may not apply to every institution, each organization should determine
how the assessment model best fits with their methodology and culture.
Once complete, the model should indicate where an organization's Vulnerability Management
program maturity lies. The assessment will not provide a formal recommended implementation
path; however, based on the gaps identified, institutions can make specific plans to reach their
desired level of maturity.
The model is designed to be an iterative tool; organizations should determine a timeframe for
achieving a next level maturity, then re-evaluate their current state on a periodic basis.
Processes - These are the primary steps within a typical vulnerability management program.
- Identification: How an organization determines what constitutes a vulnerability within their
organization.
- Analysis: How an organization determines whether to address an identified vulnerability within
their organization.
- Response: How an organization determines the responsible party and method to address an
identified vulnerability within their organization.
- Reporting: How an organization manages the communication of the status of vulnerabilities
within their organization.
Sub Processes - These are the secondary steps within each process for a typical vulnerability
management program. Each sub process is defined within the Model.
Maturity Levels - These are levels that measure the evolution of a typical vulnerability
management program. Each maturity level is defined within the Model.
Maturity Model Usage
Using the Tool tab, organizations select the Maturity Level statement that most closely aligns
with their organization's current state using the drop downs in Column D.
Next, organizations select the Maturity Level statement that most closely aligns with their
organization's desired state using the drop downs in Column F. Desired State can be dictated by
risk appetite, cost/benefit analyses, and other appropriate means.
The Tool will result in a Sub Process Gap number, and a Process level gap number, so that
participants can determine actions to take as necessary, to reduce the gap between their current
state and their desired state of maturity.
Points of Contact
To Learn More: In the event that organizations have questions that are not answered within the
FAQ tab, or to learn more about the model initiative, participating in future model iterations, or
BPI BITS, please feel free to contact Andrew Kennedy (Andrew.Kennedy@BPI.com) of the Bank
Policy Institute.
Process Sub Process Definition
Analysis
Monitoring / Governance
[-Internal-]
Monitoring / Gov
A process for the tracking of identified vulnerabilities t
A method for response effort
Prioritization
prioritization.
Response
A method of addressing each
Treatment vulnerability through remediation or risk
deferral.
[-Internal-]
Maturity Level 1 Maturity Level 2
Severity ratings are based on "out of the Severity ratings also include analysis of
box" data provided by scanning other available fields such as whether or
technology or indicated in reports. not exploits are available.
[-Internal-]
An ad hoc process is in place to prioritize A repeatable process is in place to
needs for weakness and vulnerability prioritize needs for weakness and
remediation. vulnerability remediation.
Few responsible parties are known or are Most responsible parties are known and
not documented are documented.
[-Internal-]
Maturity Level 3 Maturity Level 4
[-Internal-]
A stable process is in place to prioritize A stable and well monitored process is in
needs for weakness and vulnerability place to prioritize needs for weakness
remediation. and vulnerability remediation.
[-Internal-]
Maturity Level 5
[-Internal-]
A superior process is in place to prioritize
needs for weakness and vulnerability
remediation activities, including
automated process integration.
[-Internal-]
Current State
Process Sub Process Sub Process Definition Maturity Level
(Select a Level)
Response
Severity ratings are based on "out of Severity ratings also include analysis
the box" data provided by scanning 2 of other available fields such as
technology or indicated in reports. whether or not exploits are available.
Few responsible parties are known or Most responsible parties are known
2
are not documented and are documented.
1
1
1
1
1
1 1
1
Frequently Asked Questions
1
7
Frequently Asked Questions
Is completing the Vulnerability Management Maturity Model required?
A) The Vulnerability Management Maturity Model (VMMM) is a completely voluntary tool for organizations to use t
own internal self-assessment of how mature is their VM program.
What is the recommended frequency for entities to complete their maturity model assessment?
A) Organizations can determine the frequency with which they complete the maturity model; it can be driven when
processes or technology changes occur that impact their VM program.
What if my organization falls in between maturity levels, do we default to the lower level, or assign a halfway poi
A) The Tool will enforce selection of Maturity Level as 1, 2, 3, 4, or 5. If you believe your program falls between two
Levels, consider selecting the lower maturity, knowing that the resultant gap may not be as large as it calculates to b
A) There is no requirement to provide documentation to support the selection of Maturity Level; it may, however, b
communicating results to Sr Leaders in the event they request evidence for determining the Maturity Level.
Is N/A an option for response? What if my organization does not perform a specified step?
A) BITS realizes that not all organizations will align exactly with the process and sub-process steps identified. The M
way for institutions to evaluate an approximate level of maturity, in order to assess steps to take in order to evolve
vulnerability management program.
Is the BITS Vulnerability Management Maturity Model (VMMM) based on a specific authoritative source?
A) While the VMMM is not mapped to a specific framework, BITS has tailored the model to address the scope of cap
authoritative sources (NIST CSF, COBIT 5) indicate organizations should have within a vulnerability management pro
represents the consensus of the vulnerability management leaders of the member banks.
Which part of the model would address the aging of open vulnerabilities?
A) Old, open vulnerabilities could be addressed in several areas of the maturity model, including Tracking, Treatmen