Vulnerability Management Program

Proxmox Infrastructure · Tenable Nessus · NIST / ISO / CIS Aligned

An end-to-end vulnerability management program built to enterprise standards, covering asset discovery, risk-based prioritization, remediation tracking, and verification. Designed around a six-phase methodology aligned to NIST CSF 2.0, NIST SP 800-53, ISO/IEC 27001, and CIS Controls v8.

The Six-Phase Framework

The program follows a structured six-phase methodology modeled on enterprise vulnerability management workflows — from asset discovery through verification and metrics.

Phase 1 — Asset Inventory & Discovery

Documented every system in scope using a CMDB-style inventory. Mapped hypervisor hosts, VMs, and LXC containers with criticality ratings and network zones.

Phase 2 — Scope & Authorization

Defined an authorization boundary and Rules of Engagement document — establishing in-scope assets, scan windows, and emergency stop procedures before any scanning began.

Phase 3 — Scan Execution

Structured scanning in stages: host discovery, unauthenticated network scans, credentialed scans, and CIS compliance scans — each logged with templates, targets, and timing.

Phase 4 — Triage & Risk-Based Prioritization

Findings scored using a weighted model combining CVSS, public exploit availability, CISA KEV listing, asset criticality, and network exposure — moving beyond raw CVSS to true risk-based prioritization.

Phase 5 — Remediation Planning & Execution

Each finding tracked with a remediation ticket, severity-based SLA targets, and risk acceptance documentation where remediation isn’t immediately feasible.

Phase 6 — Verification & Metrics

Post-remediation rescans confirm fixes worked, with program effectiveness measured through KPIs including MTTR, remediation rate, and credentialed scan coverage.

Frameworks & Standards

The program is aligned with recognized security frameworks and control catalogs, demonstrating alignment with enterprise compliance requirements.

  • NIST Cybersecurity Framework (CSF) 2.0
  • NIST SP 800-53 Rev. 5 — Security & Privacy Controls
  • NIST SP 800-40 Rev. 4 — Patch Management
  • ISO/IEC 27001:2022 — Information Security Management
  • CIS Controls v8

Current Status

Program design and documentation complete. Unauthenticated scans executed. Authenticated credentialed scans currently in progress, findings, triage logs, and MTTR metrics will be published upon completion.

← Back to Projects