For the below policy template anything in < Here > should be tailored to the organisation. This policy will set up your patch cycle, and your vulnerability remediation timelines. The goal of this policy is to set up the goals for identifying and remediating vulnerabilities, external penetration testing and setting up standard patching cycles. It should be tailored to suit the organisation, this can mean agreeing not to patch some assets, environments or vulnerabilities, or having radically different SLA’s for each part of the organisation. Ultimately a good Vuln and Patch policy is one that your teams can follow and allows you to keep within your risk appetite.
Purpose
Vulnerability management is the process in which weaknesses are identified, evaluated, classified, and corrected. The purpose of this policy is to define the requirements for vulnerability management that will reduce the risk to The Company resulting from exploitation of vulnerabilities. It also sets out expected patching lifecycles.
Scope
This policy applies to:
- <Environment, servers, systems etc should be listed if in scope>
RACI matrix
<Include a RACI matrix table to cover roles and responsibilities for the processes set up by the policy>
Policy Statement
Patching
Infrastructure
<This should match scope>
All systems assets should be patched every <SLA> days. Prior to deploying patches the patch should be tested in a non-production environment and any issues should be remediated prior to the patch being applied to production.
Endpoints
All endpoints should be patched every <SLA> days.
Penetration testing
<This should match scope>
The Company shall perform penetration testing on <Scope of pen tests> at least <Frequency>.
The penetration testing must be carried out by certified personnel using an industry-recognized penetration testing methodology.
The execution of penetration testing must be performed in a way that safeguards the continued operations of <scope> and The Company must ensure that business continuity is guaranteed according to the set Recovery Time Objective (RTO) and Recovery Point Objective (RPO) in the business continuity plan.
The execution of penetration testing must be performed with the formal approval of authorized personnel and the impacted business entities.
Infrastructure
<This section should be tailored to the organisations environment, SaaS vendors, products etc>
IaaS hosted infrastructure
Systems that are stored in The Companies managed IaaS accounts, and are managed by our <Responsible> Team must have vulnerabilities remediated within the below timelines. Where systems are not managed by <Responsible> Team and are managed at a “Team” level the Locally managed infrastructure SLAs should be followed.
| Severity | Score | Public facing system | Internal systems (backend) |
|---|---|---|---|
| Critical | 9.0 – 10.0 | <SLA> | <SLA> |
| High | 7.0 – 8.9 | <SLA> | <SLA> |
| Medium | 4.0 – 6.9 | <SLA> | <SLA> |
| Low | 0.1 – 3.9 | <SLA> | <SLA> |
Data-centre infrastructure
Where systems are located in on-premise offices, or in data centres, the <Responsible> Team must have vulnerabilities remediated within the below timelines. Where systems are not managed by <Responsible> Team and are managed at a “Team” level the Locally managed infrastructure SLAs should be followed. the below SLAs apply.
| Severity | Score | Public facing system | Internal systems (backend) |
|---|---|---|---|
| Critical | 9.0 – 10.0 | <SLA> | <SLA> |
| High | 7.0 – 8.9 | <SLA> | <SLA> |
| Medium | 4.0 – 6.9 | <SLA> | <SLA> |
| Low | 0.1 – 3.9 | <SLA> | <SLA> |
Locally managed infrastructure
Where systems are located in on-premise offices, or on an IaaS environment, or that are managed by the the team using the infrastructure, the below SLAs apply.
| Severity | Score | Public facing system | Internal systems (backend) |
|---|---|---|---|
| Critical | 9.0 – 10.0 | <SLA> | <SLA> |
| High | 7.0 – 8.9 | <SLA> | <SLA> |
| Medium | 4.0 – 6.9 | <SLA> | <SLA> |
| Low | 0.1 – 3.9 | <SLA> | <SLA> |
Software
<This will cover any inhouse products made or software installed/managed>
Product
For vulnerabilities identified in the product the <Responsible> Team will remediate within the below SLAs:
| Severity | Score | Production System |
|---|---|---|
| Critical | 9.0 – 10.0 | <SLA> |
| High | 7.0 – 8.9 | <SLA> |
| Medium | 4.0 – 6.9 | <SLA> |
| Low | 0.1 – 3.9 | <SLA> |
Hosted Software
For vulnerabilities identified in the software that is hosted on The Companies infrastructure, the <Responsible> team will remediate within the below SLAs:
| Severity | Score | Public facing system | Internal systems (backend) |
|---|---|---|---|
| Critical | 9.0 – 10.0 | <SLA> | <SLA> |
| High | 7.0 – 8.9 | <SLA> | <SLA> |
| Medium | 4.0 – 6.9 | <SLA> | <SLA> |
| Low | 0.1 – 3.9 | <SLA> | <SLA> |
Desktop Software
For vulnerabilities identified in the software installed on The Company endpoints, the employee that uses that endpoint will remediate within the below SLAs:
| Severity | Score | Software |
|---|---|---|
| Critical | 9.0 – 10.0 | <SLA> |
| High | 7.0 – 8.9 | <SLA> |
| Medium | 4.0 – 6.9 | <SLA> |
| Low | 0.1 – 3.9 | <SLA> |
Endpoints
Globally managed Endpoints
For operating system vulnerabilities found on laptops, desktops and other endpoints that are managed by The Companies <Responsible / IT > team, the below SLAs should be applied.
| Severity | Score | Endpoint |
|---|---|---|
| Critical | 9.0 – 10.0 | <SLA> |
| High | 7.0 – 8.9 | <SLA> |
| Medium | 4.0 – 6.9 | <SLA> |
| Low | 0.1 – 3.9 | <SLA |
Locally managed Endpoints
Where Endpoints are not managed by our <corporate IT> teams or through our <device management tooling>, the technology owners using these machines must ensure they are patched and updated to address vulnerabilities within the timelines below.
| Severity | Score | Endpoint |
|---|---|---|
| Critical | 9.0 – 10.0 | <SLA> |
| High | 7.0 – 8.9 | <SLA> |
| Medium | 4.0 – 6.9 | <SLA> |
| Low | 0.1 – 3.9 | <SLA> |
Exemption process
For vulnerabilities or systems that cannot meet the above SLA’s for any reason the team responsible for managing the impacted systems must raise an exemption request. To raise a request please follow the below process:
- <This process should be tailored to the organisation, it can tie into a formal risk management process or it can be an email request/approval depending on the organisations maturity.>
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with the company.
Adams In-Security 