Vulnerability Management Policy (Final)
1. Purpose
The purpose of this policy is to establish a standardized and repeatable process for identifying, assessing, and remediating vulnerabilities within the organization’s IT infrastructure. This ensures a reduced attack surface and demonstrates alignment with industry-recognized cybersecurity practices.
2. Scope
This policy applies to all server assets managed by the Infrastructure Team, including:
- Azure-hosted virtual machines
- Internal Windows/Linux servers
- Any additional systems included in approved scan scopes
3. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Security Team | Configure/execute scans, triage findings, coordinate with remediation teams |
| Infrastructure | Provide scan credentials, perform remediations, validate fixes |
| Risk Team | Review findings, prioritize based on business impact, track SLA adherence |
| CAB | Approve any changes resulting from remediations (e.g., protocol disablement) |
4. Vulnerability Scanning Guidelines
- Tool: Tenable (authenticated scans)
- Frequency: Weekly (pilot phase); Monthly (ongoing)
- Scan Engine: Internal VM (resides in same virtual network as targets)
- Credential Access: JIT Active Directory accounts (disabled outside of scan windows)
- Scan Types:
- Authenticated scans
- Discovery scans (optional during asset onboarding)
5. Remediation SLAs
| Severity | Remediation Deadline | Notes |
|---|---|---|
| Critical | Within 7 business days | Adjusted based on stakeholder feedback |
| High | Within 7 business days | |
| Medium | Within 15 business days | |
| Low | During standard patching | Typically covered in monthly maintenance |
6. Exceptions
Any deviations from the above SLAs must be approved by the Risk Team and documented in the exception register. CAB must be notified for remediations involving system-wide changes.
7. Reporting & Communication
- All findings will be logged in a centralized vulnerability dashboard
- SLA status will be reviewed bi-weekly in the Security & Infra sync
- Summary reports will be shared monthly with leadership
8. Policy Maintenance
This policy will be reviewed quarterly or after major incidents, architecture changes, or tool migrations.
Finalized By: Tega Ewubare
Approval Date: 7/1/25
Version: 1.0