Sample Vulnerability Management Standard:
Document History
Version | Date | Revised By | Description |
1.0 | 1 January 2010 <Current date> | Michael D. Peters <Owners's name> | This version replaces any prior version. |
Document Certification
Description | Date Parameters |
Designated document recertification cycle in days: | 30 - 90 - 180 - 365 <Select cycle> |
Next document recertification date: | 1 July 2010 <Date> |
Vulnerability Management Standard
The <Your Company Name> (the "Company) Sample Vulnerability Assessment and Management Policy defines objectives for establishing specific standards on the assessment and ongoing management of vulnerabilities.
This Vulnerability Management Standard builds on the objectives established in the Sample Vulnerability Assessment and Management Policy, and provides specific instructions and requirements for "closed-loop" vulnerability management activities including vulnerability mitigation, information review and analysis, as well as metrics tracking and reporting.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to and use of Company Information Assets, are covered by this standard and must comply with associated guidelines and procedures.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.
Vulnerabilities refer the weaknesses in information system and procedures including technical, organizational, procedural, administrative, or physical weaknesses.
Vulnerability Ratings are defined in the Sample Vulnerability Assessment Standard.
II. Requirements
- A. Mitigation
- 1. Mitigation timeframes for identified or assessed vulnerabilities will be based on the assigned Vulnerability Rating:
- 1. Mitigation timeframes for identified or assessed vulnerabilities will be based on the assigned Vulnerability Rating:
- "High-risk" vulnerabilities must be mitigated within seven (7) days.
- "Medium-risk" vulnerabilities must be mitigated within thirty (30) days.
- "Low-risk" vulnerabilities must be mitigated within ninety (90) days.
- "High-risk" vulnerabilities must be mitigated within seven (7) days.
- 2. Threats and threat sources that may exploit identified or assessed vulnerabilities should be monitored immediately, in accordance to the Sample Threat Monitoring Standard, until the vulnerabilities have been mitigated.
- 2. Threats and threat sources that may exploit identified or assessed vulnerabilities should be monitored immediately, in accordance to the Sample Threat Monitoring Standard, until the vulnerabilities have been mitigated.
- 3. Vulnerability mitigation plans will specify, at a minimum, the proposed resolution to address identified vulnerabilities, required tasks necessary to affect changes, and the assignment of the required tasks to appropriate personnel.
- 3. Vulnerability mitigation plans will specify, at a minimum, the proposed resolution to address identified vulnerabilities, required tasks necessary to affect changes, and the assignment of the required tasks to appropriate personnel.
- 4. Vulnerability exceptions or waivers must meet pre-defined exception criteria and must be approved by <Specify Contact>.
- 4. Vulnerability exceptions or waivers must meet pre-defined exception criteria and must be approved by <Specify Contact>.
- 5. Appropriate testing and assessment activities should be performed after vulnerability mitigation plans have been executed to verify and validate that the vulnerabilities have been successfully addressed.
- 5. Appropriate testing and assessment activities should be performed after vulnerability mitigation plans have been executed to verify and validate that the vulnerabilities have been successfully addressed.
- 6. Appropriate notification should be provided after vulnerability mitigation plans have been executed.
- 6. Appropriate notification should be provided after vulnerability mitigation plans have been executed.
- B. Information review and Analysis
- 1. Relevant vulnerability information from appropriate vendors, third party research, and public domain resources should be reviewed on a daily basis.
- 1. Relevant vulnerability information from appropriate vendors, third party research, and public domain resources should be reviewed on a daily basis.
- 2. Relevant vulnerability information, as discovered, should be distributed to the appropriate Company personnel, including but not limited to Information Security, Information Technology, and Internal Audit.
- 2. Relevant vulnerability information, as discovered, should be distributed to the appropriate Company personnel, including but not limited to Information Security, Information Technology, and Internal Audit.
- 3. Appropriate Company personnel should be alerted or notified in near real-time on warnings or announcements involving "High-risk" vulnerabilities.
- 3. Appropriate Company personnel should be alerted or notified in near real-time on warnings or announcements involving "High-risk" vulnerabilities.
- C. Metrics Tracking and Reporting
- 1. The following vulnerability task assignment metrics must be routinely tracked for specific administrators and vendor technologies:
- 1. The following vulnerability task assignment metrics must be routinely tracked for specific administrators and vendor technologies:
- Number of new vulnerability task assignments
- Number of closed vulnerability task assignments
- Number of overdue vulnerability task assignments
- Number of new vulnerability task assignments
- 2. Company management including but not limited to Information Security, Information Technology, and Internal Audit should be provided with a quarterly report on the following vulnerability metrics:
- 2. Company management including but not limited to Information Security, Information Technology, and Internal Audit should be provided with a quarterly report on the following vulnerability metrics:
- Number of vulnerabilities for the current quarter
- Number of vulnerabilities closed for the current quarter
- Number of vulnerabilities open for the current quarter
- Number of vulnerability exceptions for the current quarter
- Severity level of vulnerabilities
- Previous quarter vulnerability metrics
- Number of vulnerabilities for the current quarter
- 3. Vulnerability metrics and mitigation plans should be retained for a minimum of two (2) years or as prescribed by legal or regulatory requirements.
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Vulnerability Management Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Vulnerability Management Standard.
Company management is responsible for ensuring that the Vulnerability Management Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for planning and executing vulnerability mitigation activities.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the Vulnerability Management Standard and associated guidelines; ensuring vulnerability mitigation plans are developed and mitigation tasks are performed; monitoring the progress and status of vulnerability mitigation activities; participating in the vulnerability exception request process; and participating in the planning and closing phases of vulnerability management activities.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; routinely reviewing Information Security sources to identify the latest vulnerabilities; performing assigned vulnerability mitigation tasks; adhering to vulnerability exception processes and procedures; and providing timely status updates to support accurate vulnerability metric efforts.
IV. Enforcement and Exception Handling
Failure to comply with the Vulnerability Management Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Vulnerability Management Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Vulnerability Management Standard.
V. Review and Revision
The Vulnerability Management Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer