Remediation and Exception Plans

You will learn how to think of and leverage Remediation Plans and Exception Plans within your daily workflows and oversight of a VM Program.

Overview

One of the biggest improvements in 6.0 is the introduction of Remediation Plans and Exception Plans. 

Think of them as a way to organize, track, assign, and manage the work your Analysts and Remediation Teams are doing. 

Remediation Plans

Typically, our clients conduct their work by identifying a set of vulnerability instances that have to be remediated. This is often done by prioritizing these vuln instances by risk or urgency (SLA) or some other custom logic. They then need to get these lists to their Remediation Team partners and track the work they do until the vulnerabilities are validated as remediated by the Scanner.

Oftentimes, this work is lost in Emails, Spreadsheets, and other communication applications making the management and oversight of a program difficult. 

Some companies leverage an IT Service Management (ITSM) platform to help manage this work. UVRM integrated with Jira, ServiceNow, or any platform that accepts Email to Ticket workflows like Asana, Trello, etc. by creating a Ticket/Item from the selection of vuln instances an Analyst has chosen. Oversight and Management of these items within UVRM in the past relied on users using those platforms to manage progress and status of each ticket.

We listened to our clients and decided to implement an in-product way to manage this work regardless if you had integrated with an ITSM or not. 

Remediation Plans are created by selecting a set of vuln instances within the Prioritize page. Users are able to then determine how to organize these vuln instances for use by their Remediation Teams by selecting on how to group the items; Group By Asset, Vuln, Vuln Instance, or No Grouping. The output of this selection is a Remediation Plan with 1 or more Actions.

Example: 10 vuln instances (3 vulns) found on 5 assets

  • Group By Asset:
    • Plan = 1
    • Actions = 5
  • Group By Vuln:
    • Plan = 1
    • Actions = 3
  • Group By Vuln Instance
    • Plan = 1
    • Actions = 10
  • No Grouping
    • Plan = 1
    • Actions = 1

Some organization's Remediation Teams prefer to work from an Asset perspective; give me each Asset's vulns and I'll fix them. Or from a Vuln perspective, "Tell me the Vuln and where it is and I'll fix it." Or from a Vuln Instance perspective, "Tell me the specific list of Vuln Instances you need to fix individually." Or No grouping, "Just give me a list of all of the vuln instances and I'll figure it out."

Users creating the Remediation Plan can give the Plan a name and determine if the plan should also be sent to an external ITSM platform (optional, coming Q4 2023). 

Users creating the Remediation Plans for internal tracking of these items can assign a user to the Plan.

Managers and Admins (as well as Analysts and Remediation Teams) are now able to quickly find their Remediation Plans and manage them without leaving UVRM. There's a new top level page named Remediate that hosts the Remediation and Exception Plans. Here users can quickly see the status of each Remediation Plan and their Actions. 

Exception Plans

Organizations typically have a process to manage the inevitability of certain vulns or assets that cannot be remediated in time or at all. This process typically involves a documented plan and approval or denial of that plan by the organization. In UVRM6.0 we centralize our existing Risk Acceptance and False Positive workflows as Exception Plans.

Users from the Prioritize Page or an existing Remediation Plan may choose specific vuln instances and create an Exception Plan. They provide a Reason from a list of Admin created reasons (each client can specify a custom list of reasons to be used within Exception Plans). If the Exception Type is Risk Acceptance they can specify a Risk Accepted Until Date. This date can be used to extend an SLA or just set the expectation for when the risk can be remediated or mitigated. They can provide a detailed plan for their exception and upload any needed attachments. They can also provide a link to an external site that may hold an approval or further details. 

Upon creating the Exception Plan clients will now have the choice to configure UVRM to either require a human review by a Manager or to automatically approve the exception. If a human is needed, an Admin or Manager will need to review the plan and click on Approve or Deny before the vuln instances are marked as being Risk Accepted. Otherwise the vulns are immediately marked with the type of Exception Plan. 

Note, vuln instances that meet their expiration date are reverted from Risk Accepted back to Open.

Upcoming Features

In the near future we'd like to release the following features:

  • Exception Plan Extensions
  • Asset Level Exceptions - Risk Accept all vulns from this Asset for a period of time
  • Vuln Level Exceptions - Risk Accept this vuln across all Assets for a period of time
  • Exception Rules - Except these Assets, Vulns, or Vuln Instances in the future