LogoLogo
v2020-08
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
v2020-08
Current Versionv2018-04v2019-09v2019-11v2020-03v2020-05v2020-08v2021-01v2021-07v2021-10
  • Welcome
  • FundApps Policies
    • Technical & Platform Overview
    • Software Development
    • Risk Management
      • Risk Management Framework
      • Information Asset Register
      • Information Systems Register
      • Data Classification and Protection Standard
    • Information Security
      • Client Services Access to Client Environments
      • Employee Guide
      • Information Security Framework
      • Security Awareness Program
      • Social Media
      • Access Control
      • Physical Security
      • Network Security
      • Logging, Monitoring and Alerting
      • Incident Response
      • Data Backups
      • Privacy Policy
      • Vulnerability Management Policy
      • Security Exception Management Policy
      • Information Security Risk Register
      • Data Retention Policy
    • Business Continuity
      • Business Continuity Management System
      • Business Continuity Policy
      • Business Continuity Risk Register
      • Technical Resilience
      • Business Continuity Documents
    • Personnel & Security
      • Overview
      • Code of Conduct
      • Health and Safety
      • Third party vendors
  • Policy Change Log
    • August 2020
    • May 2020
    • March 2020
    • November 2019
    • September 2019
Powered by GitBook
On this page
  • Objective
  • Scope
  • Vulnerability Detection
  • Vulnerability Severity Ratings
  • Vulnerability Acceptance, Mitigation and Correction

Was this helpful?

Export as PDF
  1. FundApps Policies
  2. Information Security

Vulnerability Management Policy

Objective

The purpose of this policy is to define the way in which FundApps detects, classifies, mitigates and corrects vulnerabilities on its Information System. Effective implementation of this policy will allow to reduce the probability and/or impact of vulnerabilities affecting the FundApps Information System

Scope

This policy applies to applications and infrastructure which makes up FundApps’ production environment. Physical vulnerability management is out of scope of this policy and managed by our hosting provider (AWS).

Vulnerability Detection

  • Applications

    FundApps performs a technical security audit annually against FundApps’ application in order to detect vulnerabilities and other security concerns.

    This assessment is performed against an environment identical to the production environment except it doesn’t contain production or sensitive data.

    An executive summary of the assessment and it’s finding is made available to clients upon request within 20 working days of the assessment being completed.

  • Infrastructure

    FundApps performs an automated scanning of vulnerabilities on its production infrastructure on a monthly basis.

Vulnerability Severity Ratings

  • Applications

    Application vulnerabilities are rated based on their impact and likelihood. Possible vulnerability ratings are Low, Medium, High and Critical. The rating system is based on the OWASP Risk Rating Methodology (https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology).

  • Infrastructure

    Infrastructure vulnerabilities are rated using the Common Vulnerability Scoring System (https://www.first.org/cvss/user-guide). Possible vulnerability ratings are None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9) and Critical (9.0 - 10.0).

Vulnerability Acceptance, Mitigation and Correction

  • Process

    Once vulnerabilities have been identified, rated and formalised, FundApps will manage risk treatment based on the following diagram:

By default, and as a maximum, the vulnerability acceptance period will be one year.

  • Applications

    FundApps will endeavour to address vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Action plan defined

<=2 (*)

<=5 (*)

<=20 (*)

<=20 (*)

Vulnerability mitigated

<=2 (*)

<=5 (*)

<=20 (*)

<=20 (*)

Vulnerability corrected or accepted (**)

<=2 (*)

<=5 (*)

<=20 (*)

<=20 (*)

(*) number of working days after application vulnerability report is formalised. (**) Critical or High vulnerabilities will not be accepted. In the worst case scenario FundApps will mitigate these to reduce the risk to Medium.

  • Infrastructure

    FundApps will endeavour to address infrastructure vulnerabilities based on their severity as defined in the following table:

Critical

High

Medium

Low

Vulnerability corrected or accepted

<=20 (*)

<=40 (*)

<=60 (*)

Best effort

(*) number of working days after vulnerability has been identified.

PreviousPrivacy PolicyNextSecurity Exception Management Policy

Last updated 3 years ago

Was this helpful?

Figure 1 - Vulnerability Management Process