Sample Vulnerability Assessment and Management Policy:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
=='''Sample Vulnerability Assessment and Management Policy'''==
 
<br>
==Sample Vulnerability Assessment and Management Standard==
As stated in the Company [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']], the Company will follow a risk management approach to develop and implement Information Security policies, standards, guidelines, and procedures. The Information Security Program will reduce vulnerabilities by establishing policies to assess, identify, prioritize, and manage vulnerabilities.<br>
The Vulnerability Assessment and Management Standard define Company's objectives for establishing specific standards for the assessment and ongoing management of vulnerabilities.
<br>
 
This Vulnerability Assessment and Management Policy defines Company's objectives for establishing specific standards for the assessment and ongoing management of vulnerabilities.<br>
==Objectives==
<br>
=='''I. Scope'''==
<br>
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this policy and must comply with associated standards and guidelines.<br>
<br>
Vulnerabilities are the exploitable weaknesses in information system and procedures, including technical, organizational, procedural, administrative, or physical weaknesses.<br>
<br>
=='''II. Objectives'''==
<br>
The Company will periodically assess and identify vulnerabilities in Company information systems environment and procedures. Specific instructions and requirements for assessing vulnerabilities are provided in the [[Sample Vulnerability Assessment Standard:|'''Sample Vulnerability Assessment Standard''']].<br>
The Company will periodically assess and identify vulnerabilities in Company information systems environment and procedures. Specific instructions and requirements for assessing vulnerabilities are provided in the [[Sample Vulnerability Assessment Standard:|'''Sample Vulnerability Assessment Standard''']].<br>
<br>
<br>
The findings from the vulnerability assessment activities must be used to develop a formal plan for the ongoing elimination or mitigation of the vulnerabilities. The Company must establish associated metrics for gauging the effectiveness of these plans. Specific instructions and requirements for managing vulnerabilities are provided in the [[Sample Vulnerability Management Standard:|'''Sample Vulnerability Management Standard''']].<br>
The findings from the vulnerability assessment activities must be used to develop a formal plan for the ongoing elimination or mitigation of the vulnerabilities. The Company must establish associated metrics for gauging the effectiveness of these plans. Specific instructions and requirements for managing vulnerabilities are provided in the [[Sample Vulnerability Management Standard:|'''Sample Vulnerability Management Standard''']].<br>
<br>
<br>
=='''III. Responsibilities'''==
==Document Examples==
<br>
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
The Chief Information Officer (CIO) is the approval authority for the Vulnerability Assessment and Management Policy.<br>
<br>
The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Vulnerability Assessment and Management Policy and associated standards and guidelines.<br>
<br>
Company management is accountable for ensuring that the Vulnerability Assessment and Management Policy and associated standards and guidelines are properly communicated and understood within their respective organizational units. Company management is also responsible for defining, approving, and implementing procedures in its organizational units and ensuring their consistency with the Vulnerability Assessment and Management Policy and associated standards and guidelines.<br>
<br>
All individuals, groups, or organizations identified in the scope of this policy are responsible for familiarizing themselves and complying with the Vulnerability Assessment and Management Policy and associated standards and guidelines.<br>
<br>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Vulnerability Assessment and Management Policy and associated standards, guidelines and procedures can result in disciplinary actions, up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Vulnerability Assessment and Management Policy should be submitted to <Title>. Exceptions shall be permitted only on receipt of written approval from <Title>.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Vulnerability Assessment and Management Policy will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Officer<br>
<br>
<br>
<gallery>
Image:Vulnerability Assessment and Management Standard.png|Vulnerability Assessment and Management Standard page one of five.
Image:Vulnerability Assessment and Management Standard(1).png|Vulnerability Assessment and Management Standard page two of five.
Image:Vulnerability Assessment and Management Standard(2).png|Vulnerability Assessment and Management Standard page three of five.
Image:Vulnerability Assessment and Management Standard(3).png|Vulnerability Assessment and Management Standard page four of five.
Image:Vulnerability Assessment and Management Standard(4).png|Vulnerability Assessment and Management Standard page five of five
</gallery>

Latest revision as of 19:16, 14 January 2014

Sample Vulnerability Assessment and Management Standard

The Vulnerability Assessment and Management Standard define Company's objectives for establishing specific standards for the assessment and ongoing management of vulnerabilities.

Objectives

The Company will periodically assess and identify vulnerabilities in Company information systems environment and procedures. Specific instructions and requirements for assessing vulnerabilities are provided in the Sample Vulnerability Assessment Standard.

The findings from the vulnerability assessment activities must be used to develop a formal plan for the ongoing elimination or mitigation of the vulnerabilities. The Company must establish associated metrics for gauging the effectiveness of these plans. Specific instructions and requirements for managing vulnerabilities are provided in the Sample Vulnerability Management Standard.

Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.