A few years ago, David Hazar and I created the Vulnerability Management Maturity Model (VMMM) to help organizations gauge the maturity of their vulnerability management program. The original blog series on the model is still available for reading.
Since then, I've regularly been asked if there's a tool to help assess where an organization stands in the maturity model. In response, I've created the VMMM Self-Assessment Tool (VMMM-SAT). I know… I SAT on the VMMM. ( You went there… I know you did.But at least we have that out of the way)
What is the VMMM-SAT?
Discover the newest tool for self-assessing your organization's vulnerability management maturity, built on the renowned SANS Vulnerability Management Maturity Model (VMMM). This tool provides feedback across all 12 focus areas of the VMMM, empowering you to gain insights into your program's maturity and effectiveness and provide valuable feedback to your leadership team. By answering a series of simple YES/NO questions, you will gain understanding of how mature your vulnerability management program is.
The VMMM-SAT is an interactive Excel spreadsheet that uses a series of questions to determine an organization's maturity level across all 12 areas of the VMMM.
How Does the VMMM-SAT Work?
Let's use the Policy and Standards section as an example. The SAT includes 12 questions in this area, which an organization answers using the No, Unknown, or Yes options. A sample of this is shown below for the Policy and Standards section of the model.
Image 1: Screen capture of the Policy and Standards section of the VMMM-SAT - Responses Incomplete
Once an organization has answered all of the questions, the spreadsheet performs its calculations and produces the maturity-level results. These results show the percentage of completed Level 1, Level 2, Level 3, Level 4, and Level 5. Based on these results, an organization can determine its overall maturity level.
For example, I have answered the Policy and Standards section of the spreadsheet as follows:
Image 1: Screen capture of the Policy and Standards section of the VMMM-SAT - Responses Complete
Now looking at the results from answering these questions, the SAT shows the following results:
Image 1: Screen capture of the Policy and Standards section of the VMMM-SAT - Results
Based on these results, the organization is likely somewhere between Level 2 and Level 3 in terms of maturity. Now, if you want to be strict about things, then your maturity is level 1.It is the only level we have fully completed.
VMMM-SAT Tool Download
You can get your own copy of the Vulnerability Management Maturity Model Self-Assessment Tool on my GitHub repository.
Improvements to the VMMM-SAT Tool
While the VMMM-SAT is not perfect, it's an important step forward in helping organizations assess their vulnerability management maturity. I welcome feedback and suggestions for how to improve the tool, and encourage anyone with ideas or suggestions to please contact me via email or LinkedIn with them.
Walk Through of the VMMM-SAT Tool
To learn more about the took and to see a full walk through of the tool, view this webcast:
Understand Vulnerability Management Maturity with a Self-Assessment Tool
By the end of this webcast, you'll understand how to discover the areas to focus on to take your program to the next level. Learning Objectives:
- Discover the benefits of using a vulnerability management maturity model self-assessment tool to improve your organization's security posture
- Use the vulnerability management maturity model self-assessment results to develop a roadmap for improving your organization's security program maturity
- Understand and be able to communicate information about your organization's vulnerability management program maturity to leadership and areas for improvement
Digging Deeper into the Vulnerability Management Maturity Model
Now suppose you want to talk to me in person. In that case, I happen to be teaching MGT516: Building and Leading Vulnerability Management Programs as part of SANSFIRE in Washington DC July and in Las Vegas, NV in September as part of SANS Network Security. Take the course or just stop by and say hello. Additional runs of the course, as well as OnDemand, and a free course demo can be found on the MGT516 course page.
I look forward to hearing your suggestions to keep moving vulnerability management forward.
About the Author: Jonathan Risto
With a career spanning over 20 years that has included working in network design, IP telephony, service development, security and project management, Jonathan has a deep technical background that provides a wealth of information he draws upon when teaching. Currently, Jonathan works for the Canadian Government conducting cyber security research in the areas of vulnerability management and automated remediation. He is also an independent security consultant. Jonathan is a co-author and instructor for SANS MGT516: Building and Leading Vulnerability Management Programs.