We need to start asking the question of what high, medium, and low value applications and systems are. For a small business, this may be quite simple, but as we start looking at multiple businesses and their needs, we can start to see that one business may say that all of their applications and systems are critical while another may not even try to participate in the discovery event.

The IT leadership needs to determine what constitutes a high, medium, or low impact system so that this definition is standard across the board. The hope is while an organization is reconciling their asset databases with vulnerability management, that there is some cross work in determining the value of the system. The following is an example of an overarching Capability Maturity Model for the scanning function of vulnerability management:

Let's talk about each phase in a little more depth.