Vulnerability Management Program

Additional Info

CompanyInformation Security Branch - Government of BC
Websitehttp://www2.gov.bc.ca/gov/content/governments/services-for-government/information-management-technology/information-security
Company size (employees)10,000 or more
Type of solutionService

Overview

The Vulnerability Management Program was designed to proactively identify and remediate security vulnerabilities before a security incident occurs. Due to the size and complexity of the BC Government network there is no vendor or commercial off-the-shelf solution that could independently deliver this program easily.
For the first time in government history, a team of dedicated security professionals undertook the seemingly impossible challenge to examine all one million addresses owned by government. The team took a completely new approach, overcame obstacles, and built a program that is looked to as a model for others across the industry.
As a result of this work many vulnerabilities were found. In a wonderful example of partnership with clients and vendors, teams across government they decreased this number to less than 2%. This represented a significant reduction in security risk to government.
To successfully deliver on this goal the team was required to:
• Identify a recurring source of vulnerabilities
• proactively identify vulnerabilities in gov infrastructure with recurring scans
• notify owners of vulnerabilities that were found
• work and follow up with owners for mutual success
• measure reduction of risk through reporting
The greatest tangible achievement was in the complete and proactive scanning of our large and complex infrastructure. We are now scanning continuously all year round. In the form of new custom built tools and processes the vast majority of the high risk vulnerabilities have been identified and successfully remediated.
Benefits of the Vulnerability Management program included brand new capabilities in vulnerability discovery, reporting and tracking through to successful mitigation:
• Reducing the likelihood of successful cyberattack
• Minimizing time and effort for incident response
• Ensuring additional safeguards for the protection of critical data.
• Meeting legal, regulatory, and policy requirements
• Reducing risk and minimizing impact
“If you think you can you will”

How we are different

1. Built from scratch and customized for governments very complex network
2. Program led by a "female" Cybersecurity Professional/Manager and a small team of 5- Not at all common
- Program was developed, implemented and delivered with a set of completed program documents, tools and was fully adopted across government by clients, vendors, and service providers within 8 months. Overall buy-in success was extremely high.