Members discussed conducting a formal vulnerability assessment; prioritizing which aspects of Risk / Vulnerability Management to be managed internally vs contracted out to a MSS vendor; reporting to executives / application owners; policy to patch zero-day, critical, high, medium, or low vulnerabilities; dynamic Asset Management tools; and measuring progress on remediating vulnerabilities.