6.2 Vulnerability and Patch Management Policy

Purpose and Scope

This Vulnerability Management Policy defines an approach for vulnerability management to reduce system risks and integrate with patch management. From time to time, Sord may update this policy and implement different levels of security controls for different information assets, based on risk and other considerations. This policy is guided by security requirements specific to Sord including applicable laws and regulations.

This policy applies to all Sord assets utilized by personnel acting on behalf of Sord or accessing its applications, infrastructure, systems or data. All personnel are required to read, accept, and follow all Sord policies and plans.

Vulnerability and Patch Management Program

Sord maintains a vulnerability management process that is integrated into the Change Management Process.

Sord may periodically test the security posture of its applications and systems through third-party scans and by scanning the information systems owned and managed by Sord with internal vulnerability tools.

Sord also monitors multiple vulnerability alert lists such as (CVE – https://cve.mitre.org/, US-CERT – https://www.us-cert.gov) to get up to date information on the latest vulnerabilities.

Third-Party Penetration and Vulnerability Tests

Sord schedules third party security assessments and penetration tests at least annually.

Sord periodically performs vulnerability scans.

Identifying Vulnerabilities

Sord will analyze scans and their reports from third-parties or its own scans for verification and vulnerability impact.

Scoring Vulnerabilities

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard.

Mitigating Vulnerabilities

If remediation is required, the appropriate team member at Sord will be notified of the requirements to remediate or mitigate the vulnerability and the time frame of such requirement will depend on the severity of the vulnerability. Such tracking of vulnerabilities must be done through the company's change management tool and in accordance with the Change Management Process.

The information obtained from the vulnerability scanning process will be shared with appropriate personnel throughout the organization on a “need to know” basis to help eliminate similar vulnerabilities in other information systems.

Patching

All system components, software and production environments shall be protected from known vulnerabilities by installing applicable vendor supplied security patches. Other patches not designated as critical by the vendor shall be applied on a normal maintenance schedule as defined by normal systems maintenance and support operating procedures.

System and Non-Company Application Patching

Patching includes updates to all operating systems and third party applications as provided by the appropriate vendor. Most vendors have automated patching procedures for their individual applications.

Sord Application Patching

Sord applications are patched in accordance with the Change Management Policy. Patches deemed to be of a high or critical nature may be rolled out in a compressed schedule as set forth in such policy.

Patching Exceptions

Patches on production systems (e.g. servers and enterprise applications) may require complex testing and installation procedures. In certain cases, risk mitigation rather than patching may be preferable. The risk mitigation alternative selected should be determined through an outage risk to exposure comparison.

Exceptions

Sord business needs, local situations, laws, and regulations may occasionally call for an exception to this policy or any other Sord policy. If an exception is needed, Sord management will determine an acceptable alternative approach.

Enforcement

Any violation of this policy or any other Sord policy or procedure may result in disciplinary action, up to and including termination of employment. Sord reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. Sord does not consider conduct in violation of this policy to be within an employee’s or contractor’s course and scope of work.

Any personnel who is requested to undertake an activity that he or she believes is in violation of this policy must provide a written or verbal complaint to his or her manager or any other manager of Sord as soon as possible.

The disciplinary process should also be used as a deterrent to prevent employees and contractors in violating organizational security policies and procedures, and any other security breaches.

Responsibility, Review, and Audit

Sord reviews and updates its security policies and plans to maintain organizational security objectives and meet regulatory requirements at least annually. The results are shared with appropriate parties internally and findings are tracked to resolution. Any changes are communicated across the organization.

This document is maintained by Jonathan Gautsch.

This document was last updated on 03/27/2024.