Cybersecurity requires having a plan to find and fix vulnerabilities. The I Have Cyber website lays out an orderly process with the following steps (https://havecyber.com/when-implementing-a-vulnerability-management-process-which-of-the-following-is-the-logical-order-of-activities):
- Identification - find the weak spots in the system. Make a list of digital and physical assets, including systems, hardware and software.
- Evaluation - assess the risks. They can include old and unsupported software, default passwords, and unneeded services.
- Prioritization - which are the most serious risks? Use a scoring system such as CVSS (Common Vulnerability Scoring System) and consider ease of exploiting a vulnerability, difficulty of repair and importance to the organization.
- Remediation - fixing or at least mitigating the vulnerabilities. Update software or change system settings as required. If this is not possible, reduce the risk by adding security, limiting access or separating the affected system.
- Verification - make sure the fixes work.
- Documentation of the process and keeping a record.