A cybersecurity analyst is reviewing the quarterly vulnerability management report and notices that the mean time to remediate (MTTR) for critical vulnerabilities has exceeded 30 days for the past two quarters. The chief information security officer (CISO) has expressed concern about this trend. Which of the following documents should the analyst consult first to determine the organization's formally agreed-upon remediation timeline targets?
The correct answer is the Service-level agreement (SLA). An SLA in the context of vulnerability management formally defines the expected timeframes for remediating vulnerabilities, typically categorized by severity. This document would contain the specific targets (e.g., "remediate critical vulnerabilities within 15 days") that the team's performance is measured against.
A memorandum of understanding (MOU) is a non-binding agreement that outlines the broad strokes of an accord between two or more parties; it is less specific and less formal than an SLA and would not contain detailed remediation timelines.
A compliance report documents the organization's adherence to external regulations or standards. While it might show that SLA targets are being missed, it is not the source document that defines those targets.
An executive summary is a high-level overview of a larger report. While it would highlight the failure to meet remediation goals, it would not contain the detailed definitions of the goals themselves.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of an SLA in vulnerability management?
Open an interactive chat with Bash
How does an SLA differ from asset management in cybersecurity?
Open an interactive chat with Bash
Can an SLA directly reduce incident response times?