Managing Cross-Functional Work for Vulnerability Items (VITs) Without Transferring SLA Ownership
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yesterday
Hello,
We're looking for guidance on how other organizations handle cross-functional work on Vulnerability Items (VITs) when SLA accountability remains with a single owning team.
A VIT is assigned to and owned by a specific team with the remediation SLA. However, remediation often requires work from other teams such as:
- Firewall teams
- Network teams
- Infrastructure/Patching teams
- Other supporting technical groups
These supporting teams are not accountable for the VIT SLA, so assigning the VIT directly to them is not desirable. As a result, the owning team often coordinates the work manually through chats, emails, phone calls, and meetings.
Question: How are other organizations tracking and managing these dependencies within VRM/Vulnerability Response?
In ITSM, we have mechanisms such as:
- Change Tasks
- Problem Tasks
- Catalog Tasks
that allow work to be delegated and tracked while ownership remains with the parent record.
For VITs, I'm aware of Affecting Tasks, but these extend the generic Task table and seem to be intended more for linking records such as Incidents or Changes to a VIT. I'm not referring to Remediation Tasks in this discussion.
Is there an out-of-the-box approach for creating and tracking work items against a VIT while retaining SLA ownership with the primary team? Or have most organizations addressed this through:
- Custom task tables (e.g., a VIT Task table)
- Related Change/Incident records
- Other patterns or best practices?
I'd be interested to hear how others have implemented this and what has worked well in practice.
Thanks in advance for any insights.
Regards,
Viji