Start with a small scope to prevent being overwhelmed by thousands of vulnerabilities. This can be done by starting out with a few systems, or by limiting the results to critical\high. This phase is the responsibility of the security officer. It is important to obtain an agreement which systems will be included or excluded from the vulnerability management process (Palmer, 2013). Once the preparation phase is complete, the initial vulnerability scans are performed. If any issues which occurs during the scans they should be recorded since it could happen again in future scans. Vulnerability scanning tools offer a wide range of reporting options. It is necessary to use them to create a various number of reports. the security officer will be interested in the risk the organization is currently facing, this risk includes number of vulnerabilities detected and the severity/risk rating of the identified vulnerabilities.
Once the initial scan is done, the next phase is defining remediating actions. This involves the asset owner, security officer, and the IT department. The security officer will analyze the vulnerabilities, determine the associated risks and will provide input on