Re: Vulnerability Management tools

[David D Grisham <DGrisham () SALUD UNM EDU>]

We looked at these tools as well as RiskSense. We chose to build our own based on assessment findings. Key components 
are Nessus scans, which get sent to the designated system owner, if patching is not possible then we have built-in an 
exception document that is completed by systems and reviewed by ITSecurity then goes through change control for review 
and approval. All exceptions are dated and reviewed yearly.
Now with that said, this system is not in production yet. We just started getting the components in place as this is a 
large project and needs to be done right.
Cheers.-grish
David Grisham
David Grisham, PhD, CISM, CRISC,  CHS III
Manager, ITSecurity, UNM Hospitals, UNM Health Science Center
505.272.5657
Dgrisham () salud UNM edu



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Wednesday, December 09, 2015 7:54 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vulnerability Management tools

Good morning folks, We are looking at tools for vulnerability management, and have identified both Qualys and Tennable 
SecurityCenter as possibilities. I was wondering if there was anybody here that could speak to having used either (or 
others that we should look at), pros, cons, indifferents, etc.

Thank You
Frank

--
Frank Barton
ACMT
IT Systems Administrator
Husson University