Security & Compliance
< Back to Article ListIS-12 Technical Vulnerability Management Policy
Last updated: 24 October 2024 at 11:46:45 UTC by Russell Briggs
Technical Vulnerability Management Policy
Document Ref No |
IS-12 |
Version No |
V1 |
Last review date |
16/10/2021 |
Approved by |
Dom Tyler |
Next review |
16/10/2022 |
Contents
1.Purpose, scope and users 3
2.Definitions 3
3.Patching 3
3.1.Risk/Priority/Timeline 3
4.Vulnerability Scanning 4
5.Third party penetration testing 4
6.Desktop 4
6.1.User Responsibility 4
6.2.Desktop Risk Mitigation 5
6.3.Restarting Devices 5
6.4.Awareness Training 5
7.Tracking and Verification 5
8.Document management 5
9.Version history 6
1. Purpose, scope and users
This policy covers the topics related to technical Threats and Vulnerability Management and defines how Recycly will: Identify, prioritise and mitigate technical vulnerabilities.
Users of this document are the IT, development and support teams and all users of Recycly equipment.
There are currently 2 areas of focus for technical vulnerability management:
1) Desktop
2) Cloud Infrastructure
2. Definitions
The following definitions may be used in the current or future versions of this policy.
Vulnerability - a vulnerability is an unhandled outcome in a program or system that can potentially be exploited to adversely impact a computer system.
Exploit - software that is written usually by attackers which leverages a vulnerability to circumvent security controls and could install unauthorised software (potentially Malware).
Malware - this is meant to be any type of software which has been written with the intention to adversely impact the Confidentiality, Integrity and Availability of systems or data.
Patch - also referred to as a software update. From time-to-time software vendors will release updates in the form of ‘patches’ to ensure their software is not susceptible to vulnerabilities.
Threat Vector - the method that an exploit is deployed. This includes but is not limited to:
● Phishing
● Trojan Software
● Malicious websites
● Open/Untrusted Wi-Fi Networks
Criticality - vulnerabilities are given an International Score based on the Common Vulnerability Scoring System (CVSS). It is a mathematical formula based on Impact, if a patch is available and attack complexity amongst others. The result is a score between 1 and 10, 10 being the most critical.
3. Patching
Periodic planned patching should be performed for all infrastructure components.
3.1. Risk/Priority/Timeline
Discovered vulnerabilities will normally be managed in the tools used to discover them e.g. Pen Test Portals etc. These tools may categorise the risk level of vulnerabilities slightly differently but will typically identify Critical, High, Medium and Low Risks. The infrastructure team will prioritise patching according to these risk levels and other mitigating factors.
Where CVSS scores are known, the IT team may also make reference to the Cyber Essentials recommendations below.
● 0 - None
● 0.1 -> 3.9 - Low
● 4.0 -> 6.9 - Medium
● 7.0 -> 8.9 - High
● 9.0 -> 10.0 - Critical
Standard |
Critical |
High |
Medium |
Low |
Cyber Essentials Plus (SE+) |
14 days |
14 days |
30 days |
30 days |
4. Vulnerability Scanning
Periodic Vulnerability Scans should be carried out against standard PC/Laptop builds and all development and production infrastructure.
5. Desktop
5.1. User Responsibility
It is the responsibility of ALL Recycly Staff/Users to keep all software on their personal computer, including browser extensions, patched and up to date. If a user is aware of a patch that is required but they are unable to do it, they MUST immediately escalate this to the IT Team.
5.2. Restarting Devices
In line with the Clear Screen Policy, the user is responsible for powering off their laptop each day when not in use. This also ensures that software updates can be applied to mitigate security vulnerabilities.
5.3. Awareness Training
Security awareness training is delivered to all employees as part of the induction process and refreshed annually. Training includes how to identify potential malware threats and how to report a potential security incident.
6. Tracking and Verification
All outstanding vulnerabilities should be reviewed at least monthly. Any high risk vulnerabilities must be reported to the Board of Directors.
Where vulnerabilities have been identified by a vulnerability scan or penetration test, the remediation actions should be verified as effective by retesting/rescanning.
7. Document management
This policy shall be available to all Recycly Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Recycly Employees via email.
8. Version history
Summary of Change |
Date of Change |
Author |
Version No |
First Draft |
16/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|