# Define a vulnerability management plan The first step when preparing your cloud vulnerability management program is defining your *vulnerability management plan*. This plan includes the policies and processes your organization follows. This plan should be documented and accessible by all stakeholders. A vulnerability management plan is a high-level document that typically includes the following sections: + **Goals and scope** – Outline the goals, functions, and scope of vulnerability management. + **Roles and responsibilities** – List the vulnerability management stakeholders and detail their responsibilities. + **Vulnerability severity and prioritization definitions** – Determine how to classify the severity of a vulnerability and how to prioritize it. + **Service level agreements (SLAs)** **for remediation **– For each severity level, define the maximum amount of time a remediation owner has to resolve a security finding. Because SLA compliance is an integral part of having an effective and scalable vulnerability management program, consider how to track whether you're meeting these SLAs. + **Exception process **– Detail the process of submitting, approving, and updating exceptions. This process should make sure that exceptions are legitimate, time-bound, and tracked. + **Sources of vulnerability information **– List the sources or tools that generate security findings. For more information about AWS services that could be sources for security findings, see [Configure AWS security services](configure-aws-security-services.md) in this guide. While these sections are common throughout companies of different sizes and industries, each organization's vulnerability management plan is unique. You need to build a vulnerability management plan that works best for your organization. Expect to iterate your plan over time to incorporate lessons learned and evolving technologies.