Vulnerability Management Process

Process covers the vulnerability reports provided by recurring internal scan results as well as external 3rd party reports.

Also provides general understanding to all involved parties (Information Security Team, Information Asset Owners and Operational Team) of communication flow, responsibilities and desired results.

Scope

This process applies to all Corporate Group owned devices and devices connected to the Corporate Group‘s network and may apply to personally-owned devices if used exclusively or extensively to conduct Corporate Group related business needs.

Periodic Vulnerability Assessment - Existing Asset

Vulnerability assessment must be conducted of all of networked computing devices on a periodic basis.

At a minimum, authenticated scans must be conducted on a quarterly basis.

Monthly scans are required for the following networking computing devices:

• Critical assets

• Assets that must meet specific regulatory requirements, e.g., PCI DSS, etc.

• All file-system images or virtual machine templates used as base images for building and deploying new workstations or servers

• Any network infrastructure equipment.

Scans must be performed during hours appropriate to the business needs of the entity and to minimize disruption to normal business functions.

No devices connected to the network must be specifically configured to block vulnerability scans from authorized scanning engines.

New Asset Vulnerability Assessment

No new assets shall be considered in production until a vulnerability assessment has been conducted and vulnerabilities addressed.

Corporate Group may conduct vulnerability assessments:

• At the completion of the operating system installation and patching phase

• At the completion of the installation of any vendor provided or in-house developed application

• Just prior to moving the asset into production

• At the completion of an image or template designed for deployment of multiple devices

• For vendor provided assets, prior to user acceptance testing and again before moving into production

• For all new network infrastructure equipment, during the burn in phase and prior to moving to production

At the completion of each of the above vulnerability assessments, all discovered vulnerabilities must be documented and remediated.

Limitation of Scanning

Corporate Group must not conduct intrusive scans of assets that are not under their direct authority.

Networked computing devices that appear to be causing disruptive behavior on the network may be scanned using nonintrusive methods to investigate the source of the disruption.

Remediation

Discovered vulnerabilities must be remediated and/or mitigated based on the following rules:

Critical risk vulnerabilities must be fully addressed within 2 calendar days of discovery.

High risk vulnerabilities must be fully addressed within 7 calendar days of discovery.

Medium risk vulnerabilities must be fully addressed within 30 calendar days of discovery.

Low risk vulnerabilities must be addressed within 90 calendar days of discovery.

Vulnerabilities are considered remediated when the risk of exploitation has been fully removed and subsequent scans of the device show the vulnerability no longer exists.

It may be cases where Corporate Group accepts the risk produced by the vulnerability.

Process Diagram

Vulnerability management procedures

Review and Update

This Process must be maintained in accordance with the Information Security Policy.

Revision History