Free Phone Consultation For New Clients | CONTACT NOW

Risk Management & Mitigation

Risk Management & Mitigation

Need for Vulnerability Management

In the “wild west” days of tech, IT systems were built like buildings with no doors or locks.  Companies used a break-fix approach to running their IT.  This model is broken.  No one would ever consider building a building without doors and locks.  No one would consider managing a building without a plan to check the doors and locks regularly.  The same principle applies to your IT.  Doors and locks must be built into IT systems, and they need to be checked regularly.

CRAG Approach to Vulnerability Management

At CRAG, we think you have enough to do running your business.  Let us worry about your IT vulnerabilities.  We take a security-first approach to your IT systems.  We check to ensure doors and locks are installed.  We monitor your systems to ensure the doors and locks work.  We recommend security improvements over time.  The modern threat landscape requires this approach. Our vulnerability management approach occurs in two phases: Risk Assessment and Risk Remediation.  Each phase can be purchased separately.

Vulnerability Management Policy

A vulnerability management policy defines the process for identifying and remediating vulnerabilities in your data infrastructure.  The policy requires identifying all the hardware and software running on the network.  Service level agreements with existing vendors are obtained and verified.  The policy also defines the process of scanning, prioritizing, remediating, and verifying that vulnerabilities are remediated.

Service Level Agreements for Vulnerability Management

If you need to be compliant with laws such as HIPAA and AWIA or standards such as PCI DSS, we ensure that the hardware and software we provide is compliant with these requirements.  We obtain agreements from software and hardware manufacturers to support compliance.  We provide our service-level agreement in writing to support compliance too.

Asset Management

Asset management must include a hardware inventory and software inventory—scanning the network to determine what devices are connected and what software they are running.  New exploits for hardware and software are continuously discovered, and these vulnerabilities need to be patched regularly.  This starts with knowing what’s on your network.

Risk assessment Phase


  • Scanning involves checking the network for all attached devices and the software and services they are running.  Scans often turn up unauthorized devices, broken services, and outdated software.  These are all security vulnerabilities that need to be remediated.  CRAG offers on-demand comprehensive scans and vulnerability assessment reports.  We can remediate the vulnerabilities or provide the results to your internal IT department for remediation.

Vulnerability Identification

  • Vulnerabilities are identified using the Common Vulnerabilities and Exposures (CVE) database, the industry standard for IT vulnerabilities.  Additional vulnerabilities are identified using database plug-ins for specific manufacturers.

Risk Remediation Phase


  • Vulnerabilities are scored using the Common Vulnerability Scoring System (CVSS) in four categories of critical, high, medium, and low.  Vulnerabilities are remediated on a timeline that corresponds to their risk level.


  • In this step, vulnerabilities are assigned to the person responsible for addressing the vulnerability. Remediation involves applying technical controls that mitigate the vulnerabilities identified and prioritized.  


  • Verification involves tracking vulnerabilities and confirming that the technical controls are applied properly.  Tracking involves creating a database of vulnerabilities including remediation and verification information.  Confirmation involves running scans, measuring, and penetration testing to ensure that remediation is complete.


  • This step demonstrates that risk assessment and risk remediation phases align with business goals.  Data from both phases are collected and communicated to demonstrate value and relevance for clients. Ready to discuss a vulnerability management program for your business?  Email for a quote.

Other Services

CRAG Acts Like Your Internal IT Department

Cyber Risk Analysis Group has your back!
Request Consultation