A formal program for identifying, assessing, classifying, prioritising and resolving technical vulnerabilities across the critical systems.
The Vulnerability Management Program includes a formal policy with responsibilities, classifications, and processes to identify, assess, classify, prioritise and resolve vulnerabilities to protect the security of the systems and data.
Below is an example Vulnerability Management Program.
Vulnerability Management Program
Scope and Purpose
The Vulnerability Management Program establishes the required practices and approach to prevent exploitation of technical vulnerabilities in the network and systems. This involves the systematic approach to identifying, assessing, logging and resolving vulnerabilities before they may be exploited by malicious intent internally or externally.
Responsibilities
Chief Executive Officer
Accountable for the review and update of this policy, communication to employees and third parties (as applicable), and ensuring the policy requirements are adhered to.
Chief Technology Officer
Responsible for daily oversight of the implementation of this policy, coordinating vulnerability management exercises and assessing the effectiveness of the vulnerability management practices.
Developers and Operations Personnel
Responsible for following this policy to ensure that vulnerabilities are identified, assessed, logged and resolved in a timely manner. Any cases of non-compliance or issues applying this policy should be reported to the Chief Technology Officer or Chief Technology Officer.
Vulnerability Identification
The following activities are performed to identify technical vulnerabilities:
- Developer training is provided on secure development practices to raise awareness of the sources of technical vulnerabilities.
- Peer reviews are conducted for code changes that includes a review of code quality and consideration of potential vulnerabilities.
- Static code analysis scanning is performed on the code repositories to identify common, known vulnerabilities prior to the code being migrated to production.
- Network vulnerability scanning is performed to identify open network paths to the compute resources and other potential exploits in the network.
- Web application vulnerability scanning is performed to identify vulnerabilities in the live web applications and website, including cross-site scripting, SQL injection command injection, path traversal and insecure server configuration.
- Third-party vulnerability scanning assessments are conducted using various software and tools to identify potential vulnerabilities in the systems.
- Independent penetration testing is conducted at least annually by a qualified third-party to combine vulnerability scanning with human methods of exploitation to identify potential vulnerabilities.
Vulnerability Assessment
Each identified vulnerability is assessed based on the likelihood and impact of exploitation. This should involve the Chief Technology Officer where required to agree the rating. This rating is used to determine the target or required resolution timeframe.
The Open Web Application Security Project (OWASP) Risk Rating Methodology is used to assess and classify the vulnerabilities based on their level of risk. Refer to the OWASP Risk Rating Methodology for full details of the risk assessment methodology.
Vulnerability Logging
Vulnerabilities identified are required to be logged for monitoring through to resolution and retrospective analysis where required. The following information is tracked:
- Title
- Description
- System(s)
- Likelihood (of exploitation)
- Impact (of exploitation)
- Risk rating (Note, Low, Med, High, Critical)
- Responsible owner*
- Date identified
- Method of identification
- Resolution target date/timeframe
- Resolution date (actual)
*The responsible owner is responsible for ensuring the vulnerability is resolved in line with the appropriate resolution timeframe.
Vulnerability Resolution
Vulnerabilities are prioritised and resolved in accordance with the rating of the vulnerability from the vulnerability assessment described above. The required resolution timeframes based on vulnerability ratings include:
- Critical: 3 days
- High: 14 days
- Medium: 90 days
- Low: Best effort
- Note: No resolution timeframe is required. These are noted only for awareness.
Vulnerability Reporting
Management reporting is performed that includes a summary of the open vulnerabilities and metrics on the vulnerabilities identified and resolved. This provides ongoing governance and support for the Vulnerability Management Program’s objectives.
Exemptions
Any exemptions to the Vulnerability Management Program requires approval by the Chief Technology Officer.