Vulnerability Management & Risk Reduction Program

Framework Alignment: SOC 2 & ISO/IEC 27001

Objective: Reduce organizational risk by preventing vulnerable assets from entering production and ensuring timely, well‑governed remediation across infrastructure, databases, and endpoints

Overview

Established vulnerability management as a preventive, risk‑based control integrated into both production readiness and ongoing operations. The program aligned technical vulnerability scanning, remediation scheduling, and patch validation to SOC 2 and ISO/IEC 27001 expectations, ensuring vulnerabilities were identified early, prioritized appropriately, and remediated in a controlled, auditable manner.

How I Approached Vulnerability Risk Management

Preventive Vulnerability Controls & Production Readiness

• Executed enterprise vulnerability scans using Qualys and Nessus
• Performed mandatory vulnerability scans on all new server builds prior to production deployment
• Ensured systems met baseline security requirements before promotion to production, supporting preventive controls under SOC 2 CC7 and ISO operational security principles

Continuous Risk Monitoring & Leadership Visibility (SOC 2 CC4 | ISO Clause 9)

• Designed and delivered a Power BI Vulnerability Management Dashboard
• Provided visibility into open vulnerabilities, remediation progress, and vulnerability burndown trends
• Enabled management review and continuous monitoring of security risk posture

Clear Ownership & Accurate Data Mapping (SOC 2 CC3 | ISO Clause 6)

• Parsed vulnerability scan outputs using Python to accurately map vulnerabilities to specific devices and responsible owners
• Delivered owner‑specific remediation views to reduce noise and increase accountability
• Improved data integrity for both remediation tracking and audit evidence

Risk‑Based Prioritization & Zero‑Day Response (SOC 2 CC5 | ISO Risk Treatment)

• Prioritized vulnerabilities based on severity, exploitability, and active threat intelligence, including zero‑day exploitation
• Focused remediation efforts on vulnerabilities posing the highest risk to confidentiality, integrity, and availability
• Ensured remediation decisions aligned with documented risk tolerance and audit expectations

Cross‑Team Remediation Scheduling & Governance (SOC 2 CC7 | ISO Clause 8)

• Collaborated closely with server, database, and endpoint teams to establish structured vulnerability remediation schedules
• Coordinated remediation timelines based on system criticality, exposure, and operational impact
• Facilitated recurring remediation discussions to track progress and remove blockers

Patch Testing & Controlled Deployment

• Worked directly in SCCM and Patch My PC to validate and test patches prior to production rollout
• Ensured patches were tested for stability and compatibility before deployment
• Supported controlled, auditable patch management processes aligned with ISO patch management and SOC 2 system operations controls

Audit & GRC Integration

• Ensured vulnerability remediation activities, approvals, and outcomes were documented and retained as audit evidence
• Demonstrated continuous monitoring, risk treatment, and control effectiveness during audits
• Integrated vulnerability management metrics into broader GRC and audit readiness reporting

Impact & Results

• Prevented insecure servers from entering production environments
• Reduced time‑to‑remediate for high‑risk and zero‑day vulnerabilities
• Improved coordination and accountability across infrastructure, database, and endpoint teams
• Strengthened patch governance through testing and controlled deployment
• Provided clear, defensible evidence of vulnerability management controls during SOC 2 and ISO‑aligned audits