Vulnerability Management

Objective

The purpose of this policy is to define the way in which FundApps detects, classifies, mitigates and corrects vulnerabilities on its Information System. Effective implementation of this policy will allow to reduce the probability and/or impact of vulnerabilities affecting the FundApps Information System

Scope

This policy applies to applications and infrastructure which makes up FundApps’ production environment. Physical vulnerability management is out of scope of this policy and managed by our hosting provider (AWS).

Vulnerability Detection

Applications
A technical security audit will be conducted annually against FundApps’ application in order to detect vulnerabilities and other security concerns. This assessment will be conducted against an environment identical to the production environment except that it will not contain production or sensitive data. An executive summary of the assessment and it’s finding will be available to clients who request it within 20 working days of the assessment being completed.
Infrastructure
An automated scanning of production vulnerabilities will be conducted on a monthly basis.

Vulnerability Severity Ratings

Applications
Application vulnerabilities will be rated based on their impact and likelihood. Possible vulnerability ratings are Low, Medium, High and Critical. The rating system is based on the OWASP Risk Rating Methodology (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology).
Infrastructure
Infrastructure vulnerabilities will be rated using the Common Vulnerability Scoring System (https://www.first.org/cvss/user-guide). Possible vulnerability ratings are None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9) and Critical (9.0 - 10.0).

Vulnerability Acceptance, Mitigation and Correction

Process
By default, and as a maximum, the vulnerability acceptance period will be one year.
Applications
FundApps will endeavour to address vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Action plan defined

<=2 (*)

<=5 (*)

<=20 (*)

Vulnerability mitigated

<=2 (*)

<=5 (*)

<=20 (*)

Vulnerability corrected or accepted (**)

<=2 (*)

<=5 (*)

<=20 (*)

(*) number of working days after application vulnerability report is formalised. (**) Critical or High vulnerabilities will not be accepted. In the worst case scenario FundApps will mitigate these to reduce the risk to Medium.

Infrastructure
FundApps will endeavour to address infrastructure vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Vulnerability corrected or accepted

<=20 (*)

<=40 (*)

<=60 (*)

Best effort

(*) number of working days after vulnerability has been identified.

PreviousAccess Control NextInformation Security Risk Register

Last updated 3 years ago

Was this helpful?

Objective

Vulnerability Detection

Applications

A technical security audit will be conducted annually against FundApps’ application in order to detect vulnerabilities and other security concerns. This assessment will be conducted against an environment identical to the production environment except that it will not contain production or sensitive data. An executive summary of the assessment and it’s finding will be available to clients who request it within 20 working days of the assessment being completed.

Infrastructure

An automated scanning of production vulnerabilities will be conducted on a monthly basis.

Vulnerability Severity Ratings

Applications

Application vulnerabilities will be rated based on their impact and likelihood. Possible vulnerability ratings are Low, Medium, High and Critical. The rating system is based on the OWASP Risk Rating Methodology (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology).

Infrastructure

Infrastructure vulnerabilities will be rated using the Common Vulnerability Scoring System (https://www.first.org/cvss/user-guide). Possible vulnerability ratings are None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9) and Critical (9.0 - 10.0).

Vulnerability Acceptance, Mitigation and Correction

Process

Once vulnerabilities have been identified, rated and formalised, FundApps will manage risk treatment based on the following diagram:

By default, and as a maximum, the vulnerability acceptance period will be one year.

Applications

FundApps will endeavour to address vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Action plan defined

<=2 (*)

<=5 (*)

<=20 (*)

Vulnerability mitigated

<=2 (*)

<=5 (*)

<=20 (*)

Vulnerability corrected or accepted (**)

<=2 (*)

<=5 (*)

<=20 (*)

Infrastructure

FundApps will endeavour to address infrastructure vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Vulnerability corrected or accepted

<=20 (*)

<=40 (*)

<=60 (*)

Best effort

(*) number of working days after vulnerability has been identified.