Between the notifications of high criticality vulns and back-and-forth email communications that frequently come with vulnerability assessment, we don't often get to ask ourselves, "what is the true effectiveness of my vulnerability management program?" This question becomes increasingly difficult to answer when the completion of remediation tasks spans multiple teams and projects. This is where Goals and SLAs come in.
With Goals and SLAs, you can ensure that you're making (and tracking) progress toward your goals and service level agreements (SLAs) at an appropriate pace, and maintaining compliance with the standards you've set for your program.
Time bound goals were designed to help you track risk reduction from a static asset or vulnerability by a pre-determined date. Let's use zero-day threats as an example: Since it's imperative that you react quickly to these disclosures, time bound goals can ensure that you and your team address all assets impacted by the specified vulnerability within a two week window.
SLA goals track your ability to meet certain policies over a dynamic time span. These goals may resemble conditions like, "remediate 100% of critical vulnerabilities in production environments within three days of discovery," or "remediate 75% of Windows servers within 15 days of asset discovery date." Because SLA goals are dynamic in scope, newly discovered assets or vulnerabilities that meet this criteria are automatically included in tracking.
Continuous goals monitor your progress or adherence with ongoing criteria, such as a rule or key performance indicator, without strict time limits. Need all of your external-facing assets to have a closed SSH port, for instance? Continuous Goals can track your adherence to this policy by also leveraging dynamic scope.