A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?
A security consultant has been hired by a company to establish its vulnerability management program. The consultant is now in the deployment phase. Which of the following tasks is part of this process?
During the deployment phase of establishing a vulnerability management program, a key task is to select and procure the necessary supporting technologies. This involves obtaining the tools, systems, and resources required to carry out the program, such as vulnerability scanners, patch management solutions, and other security technologies. This step ensures that the organization has the appropriate technological infrastructure in place to identify, assess, and manage vulnerabilities effectively.
Answer A) Educate and train key stakeholders This seems wrong because you would think all end users would need to get trained and not just key stakeholders....but literally none of the other answers available fall into the deployment stage, except for A. https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-VM_0.pdf
I think it's option D. I consider the other options as follows: Option C is before the implementation phase. Options A and B are after the implementation phase
D is correct
Agree with D, it's the only one during the development phase
Answer: A. Educate and train key stakeholders Educate and train key stakeholders. https://www.cisa.gov/sites/default/files/publications/CRR_Resource_Guide-VM_0.pdf steps in the implementation of the vulnerability management plan: • Provide training. • Conduct vulnerability assessment activities. • Record discovered vulnerabilities. • Categorize and prioritize vulnerabilities. • Manage exposure to discovered vulnerabilities. • Determine effectiveness of vulnerability dispositions. • Analyze root causes Steps in the assessment and improvement of vulnerability management: • Determine the state of the program. • Collect and analyze program information. • Improve the capability.
D. Select and procure supporting technologies. During the deployment phase, the organization selects and acquires the necessary technologies, tools, and resources that will be used to identify, assess, and remediate vulnerabilities in its IT environment. This includes the acquisition of vulnerability scanning tools, patch management solutions, and other security technologies required for the program.
D) Selecting and procuring supporting technologies is a task that occurs during the deployment phase of establishing a vulnerability management program. The deployment phase involves getting the necessary tools, technologies and resources in place to operate the vulnerability management program. This includes selecting and procuring solutions like vulnerability scanners, patch management systems, threat intelligence feeds, and any other supporting platforms. The other options relate to different phases: A) Training stakeholders occurs in the planning phase. B) Measuring effectiveness of goals aligns with the maturity phase. C) Budgeting and cost analysis takes place in the concept phase
Conduct vulnerability assessments and penetration tests. Vulnerability assessments use automated tools to search for known vulnerabilities in systems, applications, and networks. These flaws may include missing patches, misconfigurations, or faulty code that expose the organization to security risks. From: CISSP® Certified Information Systems Security Professional Official Study Guide Ninth Edition
I'd go with B. As per cbk 2015, page 187: The vulnerability management program must then verify that the patch was, in fact, implemented as expected. Although this may seem inherent to the objective, it cannot be assumed. In the case of manual deployment, users and system owners may not respond accordingly or in a timely fashion. Even if timely deployment is executed, the patch may have failed. This is somewhat compensated for in automated deployment; nevertheless, both scenarios require validation of an effective installation.
D is correct