cve-dashboard/docs/team-training-agenda.md

# STEAM Security Dashboard — Team Training Agenda

**Session length:** 30–40 minutes
**Format:** Live walkthrough (share your screen on the dashboard)
**Reference docs:** `security-posture-workflow.md` for full detail on anything covered here

---

## Pre-meeting prep

- Have the dashboard open and logged in before the meeting starts
- Sync Vulnerability Triage page so data is fresh when you get there
- Print or share `security-posture-workflow.md` as a take-home reference

---

## Segment 1 — Why this tool exists (3 min)

**Talking points:**
- We have open Ivanti findings in the 8.5–9.9 VRR range — these are the ones we own and are accountable for
- Every finding needs a documented action within **60 days of detection** (the SLA rule)
- Findings that age past their Due Date make a device non-compliant in AEO posture reporting
- This dashboard is how we track, triage, and prove we've actioned everything — replaces manual spreadsheet tracking

---

## Segment 2 — Dashboard orientation (4 min)

**Show on screen:** Navigate through each page in the nav drawer

- **Home (CVE Management)** — our CVE research library; this is where we store screenshots, advisories, and Archer EXC numbers against each CVE/vendor pair
- **Vulnerability Triage (Host Findings)** — the daily operational page; this is where you spend most of your time
- **Compliance** — AEO posture data uploaded from the NTS_AEO xlsx; shows metric health per team
- **Knowledge Base** — internal docs, runbooks, advisories
- **Exports** — bulk data extracts when needed

> Tell the team: *"The Vulnerability Triage page is what we'll focus on today — that's where the workflow lives."*

---

## Segment 3 — The three things you can do with a finding (5 min)

**Talking points — before showing the table, set context:**

Every finding in our range gets one of three designations:

1. **Remediation** — you fix the root cause
   - Firmware/software upgrade → no ticket needed, finding drops off on next scan
   - Configuration change → **Archer EXC ticket required** (if the config is ever rolled back, the vulnerability comes back — the ticket documents that we know)

2. **False Positive (FP)** — the scanner flagged something that doesn't actually apply to our platform or version
   - Requires an FP workflow opened in Ivanti
   - Evidence requirements: (a) **screenshot from the device** showing hostname, IP, and SW version — CLI text is not accepted; (b) vendor documentation (advisory, email, support ticket) confirming it doesn't affect us
   - Upload evidence to the CVE database on the Home page so we can reuse it when the FP expires

3. **Risk Acceptance (Archer EXC)** — we can't patch, for a documented reason
   - Vendor hasn't released a patch yet
   - Device is EOL/EOS — needs mitigation steps + remediation plan in the ticket
   - Business constraint — needs justification and compensating controls
   - Format: enter `EXC-XXXXX` in the finding's Notes cell after the ticket is created

> Tell the team: *"Knowing which path you're on before you touch the dashboard makes triage fast. The workflow is just deciding which of these three it is."*

---

## Segment 4 — The 5-step workflow on the Vulnerability Triage page (15 min)

**Show on screen:** Vulnerability Triage page, live walkthrough on a real finding

### Step 1 — Sync and sort (1 min)
- Click **Sync** top-right, wait for timestamp to update
- Click **Due Date** column to sort ascending — reds first, then ambers
- Red = overdue, Amber = due within 30 days — work these first

### Step 2 — Identify the host (3 min)
- Use the **IP address** in the row to verify the hostname in Infoblox (preferred) or IPControl
- If Ivanti has a stale hostname: click the **Host cell** directly in the table — it's inline editable
- An amber dot appears on overridden cells; original value is preserved and can be restored
- Show the revert button (↻) so they know corrections aren't permanent unless they want them to be

### Step 3 — Check who owns the asset (2 min)
- Look at the **BU column**
- If it's `NTS-AEO-STEAM` or `NTS-AEO-ACCESS-ENG` → our team, continue
- Anything else (or blank) → not ours → **CARD queue**
  - Check the row checkbox, select CARD, click Add to Queue
  - IP address is captured automatically for the CARD search
  - Process CARD items in a separate session

### Step 4 — Look up the CVEs (4 min)
- Each row shows up to 2 CVEs; hover the **+N badge** to see more
- Go to Home page, search for the CVE ID
  - If it exists → review existing notes, docs, and any EXC numbers already linked
  - If not → click **Add CVE**, enter the CVE ID, NVD auto-fill populates the rest
- Research: vendor advisory portal (Juniper PSN, Cisco Bug Search) — determine if it's an FP, can be patched, or needs an Archer ticket

### Step 5 — Take action (5 min)
- **Patch available (firmware/SW)** — plan the upgrade, add a note to the finding row, done
- **Config change only** — checkbox → Vendor → select **Archer** → Add to Queue → process in Ivanti later
- **False Positive** — collect screenshot + vendor doc, upload to Home page CVE entry, then checkbox → Vendor → select **FP** → Add to Queue → submit FP in Ivanti in a separate session
- **Can't patch (Archer)** — same as config change path; once EXC number is issued, paste it into the finding's **Notes cell** (`EXC-XXXXX` format)

---

## Segment 5 — The Ivanti Queue (5 min)

**Show on screen:** Click the Queue button, show the panel

- **Purpose:** tag findings as you triage, then batch all the Ivanti / Archer work in one focused session instead of context-switching constantly
- Three types: **FP** (amber), **Archer** (sky blue), **CARD** (green)
- CARD items show the IP address so you can search directly in CARD
- Check the green checkbox on an item when the Ivanti/Archer action is done
- Multi-select delete: check the small red boxes, click **Delete (N)** in the footer
- Queue is **personal to your login** — each person has their own; it persists across sessions

---

## Segment 6 — Workflow badge colours (3 min)

**Show on screen:** Workflow column on the Vulnerability Triage table

Quick rule: **red = act now, amber = act soon, blue = monitor, no badge = needs triage**

| Badge | What it means | What to do |
|---|---|---|
| Red — Expired | FP ticket lapsed, finding re-opened | Submit a new FP in Ivanti |
| Red — Rejected | Security team denied the FP | Remediate — do not resubmit without new evidence |
| Amber — Reworked | Reviewer returned the ticket | Open in Ivanti, update justification, resubmit |
| Amber — Actionable | Ticket flagged for team response | Open in Ivanti and respond |
| Blue — Requested | FP submitted, awaiting approval | Monitor; follow up if SLA is approaching |
| No badge | Never been triaged | Run it through the 5-step workflow |

---

## Segment 7 — Quick tips (2 min)

Quick features worth pointing out before Q&A:

- **Filter to untriaged only** — click the **Pending** segment on the Action Coverage donut chart
- **Find all findings tied to an Archer ticket** — click the EXC badge on the Home page CVE row
- **Filter by vendor, IP, SLA status** — click the filter icon (⊙) on any column header
- **Save evidence once, reuse it** — uploading screenshots/advisories to the CVE database means when an FP expires you already have the files

---

## Segment 8 — Q&A (remaining time)

Suggested prompts to open discussion if no questions come up:
- *"Walk me through what you'd do if you saw a red 'Rejected' badge on a finding."*
- *"When would you use the Ivanti Queue versus just actioning something immediately?"*
- *"What's the difference between Path B (config change) and Path D (risk acceptance) — when does each apply?"*

---

## Takeaway for the team

Point them to:
- `docs/security-posture-workflow.md` — the full process guide with all the steps, evidence requirements, and decision matrix
- `docs/security-posture-workflow-diagrams.md` — the Mermaid flowcharts if they're visual learners