Vulnerability Management Policy

Objective

The purpose of this policy is to define the way in which FundApps detects, classifies, mitigates and corrects vulnerabilities on its Information System. Effective implementation of this policy will allow to reduce the probability and/or impact of vulnerabilities affecting the FundApps Information System

Scope

This policy applies to applications and infrastructure which makes up FundApps’ production environment. Physical vulnerability management is out of scope of this policy and managed by our hosting provider (AWS).

Vulnerability Detection

  • Applications

    A technical security audit will be conducted annually against FundApps’ application in order to detect vulnerabilities and other security concerns. This assessment will be conducted against an environment identical to the production environment except that it will not contain production or sensitive data. An executive summary of the assessment and it’s finding will be available to clients who request it within 20 working days of the assessment being completed.

  • Infrastructure

    An automated scanning of production vulnerabilities will be conducted on a monthly basis.

Vulnerability Severity Ratings

  • Applications

    Application vulnerabilities will be rated based on their impact and likelihood. Possible vulnerability ratings are Low, Medium, High and Critical. The rating system is based on the OWASP Risk Rating Methodology (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology).

  • Infrastructure

    Infrastructure vulnerabilities will be rated using the Common Vulnerability Scoring System (https://www.first.org/cvss/user-guide). Possible vulnerability ratings are None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9) and Critical (9.0 - 10.0).

Vulnerability Acceptance, Mitigation and Correction

  • Process

    Once vulnerabilities have been identified, rated and formalised, FundApps will manage risk treatment based on the following diagram:

By default, and as a maximum, the vulnerability acceptance period will be one year.

  • Applications

    FundApps will endeavour to address vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Action plan defined

<=2 (*)

<=5 (*)

<=20 (*)

<=20 (*)

Vulnerability mitigated

<=2 (*)

<=5 (*)

<=20 (*)

<=20 (*)

Vulnerability corrected or accepted (**)

<=2 (*)

<=5 (*)

<=20 (*)

<=20 (*)

(*) number of working days after application vulnerability report is formalised. (**) Critical or High vulnerabilities will not be accepted. In the worst case scenario FundApps will mitigate these to reduce the risk to Medium.

  • Infrastructure

    FundApps will endeavour to address infrastructure vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Vulnerability corrected or accepted

<=20 (*)

<=40 (*)

<=60 (*)

Best effort

(*) number of working days after vulnerability has been identified.

PreviousAccess Control PolicyNextInformation Security Risk Register

Last updated

Was this helpful?