Vulnerability Management Policy
Purpose
The purpose of this policy is to define the requirements for notification, testing, and installation of security-related patches on devices connected to ShipitSmarter networks.
Policy
It is the stated goal of ShipitSmarter to provide secure IT resources and services in order to protect company and customer information assets, as well as the privacy of individuals and other entities that are connected to the platform. In doing so, ShipitSmarter must comply with applicable laws and regulations regarding protection of systems and data. The timely and consistent application of vendor-supplied security patches or mitigation of a reported vulnerability are critical components in protecting the platform functionanlity and data from damage or loss due to threats such as worms, viruses, data loss, or other types of external or internal attacks.
The ShipitSmarter Data Protection Officer (DPO) is authorised to conduct routine scans of devices connected to the ShipitSmarter networks to identify operating system and application vulnerabilities on those devices.
ShipitSmarter requires all administrators of systems connected to routinely review the results of vulnerability scans and evaluate, test and mitigate operating system and application vulnerabilities appropriately. Should an administrator identify a reported vulnerability as a potential false positive, the DPO should be engaged to verify.
Scope
This policy applies to all departments and platforms of ShipitSmarter.
This policy applies to all electronic devices connected to ShipitSmarter networks (public and private) including but not limited to computer workstations and servers, network switches and routers, specialized equipment, etc.
Responsibilities
System and application administrators are responsible for assessment and application of security patches that impact systems under their management and supervision.
Exceptions
Requests for exceptions to this policy (requests to not scan a device) may be granted for systems with other security measures (e.g., network filtering, firewall, etc.) in place to mitigate risk.
Any requests must be submitted to the DPO for review and approval. Exception requests must include:
- Why the scanning exception is being requested.
- Risk to the enterprise of not scanning the device.
- Mitigation controls that have been implemented, and date of implementation.
- End date for the exception (not to exceed 6 months from the request date).
Enforcement
It is the responsibility of system and application owners to ensure that the policy described in this document is followed. IT administrators understand that the secure implementation of systems and applications is a critical part of our overall information security strategy.
The DPO is authorized to limit network access for devices that do not comply with this policy.
Remediation time
When a vulnerability is found, the risk is assessed. Assessing the risk and the action taken is defined as:
| severity | description | remediation time frame |
|---|---|---|
| Critical | Activity being exploited (a known exploit is public) and there is no mitigation the priority is critical. | 10 business days |
| High | If it is not being exploited and mitigation is in place the priority is high. | 30 business days |