An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment...

The best way to enable the organization to work toward improvement in its security threat and vulnerability management program is to use a capability maturity model to identify a path to an optimized program. A capability maturity model is a framework that helps organizations assess their current level of performance and maturity in a specific domain, and provides guidance and best practices to achieve higher levels of excellence12. A capability maturity model for vulnerability management can help the organization to evaluate its current practices, identify gaps and weaknesses, and implement improvement actions based on the defined criteria and objectives34.

References

1: What is a Capability Maturity Model?1 2: Capability Maturity Model - Wikipedia2 3: Vulnerability Management Maturity Model - SANS Institute4 4: 5 Stages Of Vulnerability Management Maturity Model - SecPod Blog3