CAF – B4.d Vulnerability Management

Vulnerability Management Process

A structured vulnerability management process should be in place to identify, assess and remediate known vulnerabilities across systems and services used to deliver managed services. This helps ensure weaknesses are addressed before they affect essential functions.

Threat Awareness and Intelligence Sources

• Organisations should maintain awareness of emerging threats using trusted sources such as:

  • NCSC advisories

  • BleepingComputer

  • Vendor security bulletins

• Vulnerabilities should also be identified automatically through operational tooling, including:

  • RMM/Endpoint tools: NinjaOne, Datto RMM, N-able, Atera

  • EDR/AV: Microsoft Defender, SentinelOne, CrowdStrike

  • Vulnerability scanners: Nessus, Qualys, OpenVAS

Regular Scanning and Remediation

• Regular vulnerability scans should be performed across servers, endpoints, cloud services and network devices.

• High-risk findings should be logged (e.g. in Adoptech or the organisation’s tracking system).

• Where appropriate, the risk register should be updated.

• Remediation may include:

  • patching via RMM/Intune

  • configuration changes

  • replacing unsupported components

Independent Validation

• Independent penetration testing should be conducted at least annually or after significant changes.

• Findings should be added to the remediation workflow and tracked to closure.

Supported Components

• Only supported software, firmware and hardware should be used.

• Unsupported components should be prioritised for upgrade or removal.

Maintaining Security Posture

• A structured approach—supported by automation and third-party validation—ensures a current understanding of vulnerability exposure and enables timely action to protect client services.