Vulnerability Management Policy (DRAFT)
1. Purpose
The purpose of this policy is to establish a standardized process for identifying, assessing, and remediating vulnerabilities in the organization’s IT infrastructure. This ensures reduced attack surface and aligns with cybersecurity best practices.
2. Scope
This policy applies to all server assets managed by the Infrastructure Team within the organization. It covers internal servers, Azure virtual machines, and other systems deemed in scope.
3. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Security Team | Initiate scans, analyze findings, coordinate remediation |
| Infrastructure Team | Approve scan timing, assist with remediation, provide credentials |
| Risk Team | Prioritize vulnerabilities, track SLAs |
| Change Advisory Board (CAB) | Approve remediations and rollback plans |
4. Vulnerability Scanning Guidelines
- Scan Type: Authenticated credentialed scans using Tenable
- Frequency: Weekly (pilot phase), Monthly (ongoing)
- Scope: All production server assets
- Scan Engine Location: Internal VM-based scan engine
- Credential Access: Just-in-time Active Directory account (disabled outside scanning window)
5. Remediation SLAs
| Severity | Time to Remediate |
|---|---|
| Critical | Within 3 business days |
| High | Within 7 business days |
| Medium | Within 15 business days |
| Low | Remediated during regular patching cycle |
6. Exceptions
Exceptions to remediation timelines must be documented and approved by the Risk Team with notification to senior leadership.
7. Reporting
Scan results and remediation progress will be tracked in a centralized dashboard, reviewed bi-weekly with all stakeholders.
8. Review Cycle
This policy will be reviewed and updated quarterly or after any significant incident.
Draft Created By: Tega Ewubare
Date: 6/30/25