Vulnerability Management

[kohi10 () rogers com]

I have just been assigned to a new project, creating a vulnerability management process and procedures for a very large 
business, and am looking for some guidance.  I have done this before, but for much simpler organizations.  The 
infrastructure is huge, there is little in the way of supporting documentation, such as asset lists and network maps, 
and the business is very "siloed".  

There is a basic process in place at the moment that was created many years ago, however it was never closely followed, 
much has changed in the environment, and the process was never updated.  It has many weaknesses, such as 1 person that 
carries a pager 24/7 that must also be in the office during business hours without fail.  Every CVE announcement goes 
to the pager, so the guy is not going to get a lot of sleep.

Are there any examples available of what others have done in similar circumstances?
What are others doing to manage the deluge of vulnerability announcements from Secunia, Bugtraq, Nist, and the dreaded 
patch Tuesday?

Thanks!
Kohi

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------