Sample Vulnerability Assessment and Management Policy:: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
==Document History== | |||
<br> | |||
{| id="table1" width="100%" border="1" | |||
| bgcolor="#C0C0C0" | '''Version''' | |||
| bgcolor="#C0C0C0" | '''Date''' | |||
| bgcolor="#C0C0C0" | '''Revised By''' | |||
| bgcolor="#C0C0C0" | '''Description''' | |||
|- | |||
| 1.0 | |||
| 1 January 2009 <Current date> | |||
| Michael D. Peters '''<Owners's name>''' | |||
| This version replaces any prior version. | |||
|} | |||
<br> | |||
==Document Certification== | |||
<br> | |||
{| id="table1" width="100%" border="1" | |||
| bgcolor="#C0C0C0" | '''Description''' | |||
| bgcolor="#C0C0C0" | '''Date Parameters''' | |||
|- | |||
| '''Designated document recertification cycle in days:''' | |||
| 30 - 90 - 180 - '''365''' '''<Select cycle>''' | |||
|- | |||
| '''Next document recertification date:''' | |||
| 1 January 2010 '''<Date>''' | |||
|} | |||
<br> | |||
=='''Sample Vulnerability Assessment and Management Policy'''== | =='''Sample Vulnerability Assessment and Management Policy'''== | ||
<br> | <br> | ||
Revision as of 10:25, 9 March 2009
Document History
| Version | Date | Revised By | Description |
| 1.0 | 1 January 2009 <Current date> | Michael D. Peters <Owners's name> | This version replaces any prior version. |
Document Certification
| Description | Date Parameters |
| Designated document recertification cycle in days: | 30 - 90 - 180 - 365 <Select cycle> |
| Next document recertification date: | 1 January 2010 <Date> |
Sample Vulnerability Assessment and Management Policy
As stated in the Company Sample Information Security Program Charter, the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will reduce vulnerabilities by establishing policies to assess, identify, prioritize, and manage vulnerabilities.
This Vulnerability Assessment and Management Policy defines Company's objectives for establishing specific standards for the assessment and ongoing management of vulnerabilities.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.
Vulnerabilities are the exploitable weaknesses in information system and procedures, including technical, organizational, procedural, administrative, or physical weaknesses.
II. Objectives
The Company will periodically assess and identify vulnerabilities in Company information systems environment and procedures. Specific instructions and requirements for assessing vulnerabilities are provided in the Sample Vulnerability Assessment Standard.
The findings from the vulnerability assessment activities must be used to develop a formal plan for the ongoing elimination or mitigation of the vulnerabilities. The Company must establish associated metrics for gauging the effectiveness of these plans. Specific instructions and requirements for managing vulnerabilities are provided in the Sample Vulnerability Management Standard.
III. Responsibilities
The Chief Information Officer (CIO) is the approval authority for the Vulnerability Assessment and Management Policy.
The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Vulnerability Assessment and Management Policy and associated standards and guidelines.
Company management is accountable for ensuring that the Vulnerability Assessment and Management Policy and associated standards and guidelines are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving, and implementing procedures in its organizational units and ensuring their consistency with the Vulnerability Assessment and Management Policy and associated standards and guidelines.
All individuals, groups, or organizations identified in the scope of this policy are responsible for familiarizing themselves and complying with the Vulnerability Assessment and Management Policy and associated standards and guidelines.
IV. Enforcement and Exception Handling
Failure to comply with the Vulnerability Assessment and Management Policy and associated standards, guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Vulnerability Assessment and Management Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.
V. Review and Revision
The Vulnerability Assessment and Management Policy will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Officer
- Chief Information Officer