Vulnerability management is the process of searching for, prioritizing, and remediating vulnerabilities in enterprise systems and software. The Vulnerability Management Standard provides the processes and procedures for ensuring enterprise assets do not contain vulnerabilities. This policy applies to all departments and all assets connected to the enterprise network.

---

N/a

N/a

N/a

---

n/a

---

Vulnerability management is the process of searching for, prioritizing, and remediating vulnerabilities in enterprise systems and software. The Vulnerability Management Policy provides the processes and procedures for ensuring enterprise assets do not contain vulnerabilities. This policy applies to all departments and all assets connected to the enterprise network.

The IT business unit is responsible for all vulnerability management functions. Specifically, administrators are responsible for assessment and application of patching. Necessary vulnerability information must be relayed to other business units within the enterprise such as finance, accounting, and cybersecurity as required or needed. IT is responsible for informing all users of their responsibilities in the use of any assets assigned to them, such as applying updates in a regular manner or restarting their systems.

There are many types of enterprise assets that may contain vulnerabilities. The CIS Controls define an asset as all end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers, in virtual, cloud-based, and physical environments. Essentially any device owned, or system used by, an organization. Vulnerabilities may exist in all of these assets. All enterprise assets will contain vulnerabilities at some point in their lifecycle.

This vulnerability management policy is divided into multiple sections based on usage patterns of assets within an enterprise.

• Assess – A combination of automated scanning, manual analysis, and leveraging threat intelligence to ascertain if vulnerabilities exist in enterprise systems and software.

• Prioritize – Creating a prioritized list of vulnerabilities that should be remediated in a specific order. This may simply be identifying and fixing critical vulnerabilities first, or using a scoring system such as the Common Vulnerability Scoring System (CVSS).

• Remediate – Fixing or patching vulnerabilities to ensure they are removed or mitigated in some other way.

• Monitor – Ensuring that remediated vulnerabilities are no longer affecting systems or did not introduce more problems that must be solved.

  4.1 Exceptions

Exceptions to this policy are likely to occur. Request for exceptions may include to not scan a device, or additional time to remediate vulnerabilities, or to let certain systems function normally with vulnerabilities in place. Exception requests must be made in writing and must contain some or all of the following:

• The reason for the request

• Risk to the enterprise of not following the written policy

• Specific mitigations that will not be implemented

• Technical and other difficulties in applying patches

• Date of review

Assess

1. A process for performing vulnerability management must be established.

2. This process must be documented and approved.

3. At a minimum, the vulnerability management process must be reviewed on an annual basis or following significant changes within the enterprise.

4. IT must monitor vulnerability announcements and emerging threats applicable to enterprise asset inventory.

5. All systems connected to the enterprise network must be scanned for vulnerabilities. Prioritize

6. Identified vulnerabilities must be prioritized, with more critical vulnerabilities addressed first

Remediate

1. A process for remediating identified vulnerabilities must be established.

2. This process must be documented and approved.

3. At a minimum, this process must be reviewed on an annual basis or following significant changes within the enterprise.

4. Vulnerabilities that cannot be remediated must be submitted through the vulnerability exception process.

5. Operating systems must be configured to automatically update, unless an alternative approved patching process is used.

6. Applications must be configured to automatically update, unless an alternative approved patching process is used.

7. All users of enterprise assets have a duty to install updates for business systems and applications in a timely manner.

8. All users must ensure required reboots occur within a reasonable time frame to ensure updates are properly installed.

9. High severity vulnerabilities must be addressed as a matter of priority. Within reason, vulnerabilities labeled critical must be remediated within 14 days of detection and vulnerabilities labeled high must be remediated within 30 days of detection. Monitor

10. IT should subscribe to a threat information service to receive notifications of recently released patches and other software updates.

11. IT must notify the decision-making authority if vulnerabilities are not mitigated in a timely manner.

12. Every month, IT must create a report containing the status of all known vulnerabilities within the enterprise.

---

1. KB00041395 [retired] - POL - Information Security

---

1. N/a

Note: Please add KB relationships to core process, process, SOPs or other WIs on the right.