Technical Vulnerability Management Policy

Contents

1.      Purpose, scope and users                                                                                                               3

2.      Definitions                                                                                                                                            3

3.      Patching                                                                                                                                                3

3.1.       Risk/Priority/Timeline                                                                                                              3

4.      Vulnerability Scanning                                                                                                                   4

5.      Third party penetration testing                                                                                                   4

6.      Desktop                                                                                                                                                 4

6.1.       User Responsibility                                                                                                                  4

6.2.       Desktop Risk Mitigation                                                                                                          5

6.3.       Restarting Devices                                                                                                                   5

6.4.       Awareness Training                                                                                                                  5

7.      Tracking and Verification                                                                                                               5

8.      Document management                                                                                                                     5

9.      Version history                                                                                                                                   6

1.    Purpose, scope and users

This policy covers the topics related to technical Threats and Vulnerability Management and defines how Accellier will: Identify, prioritise and mitigate technical vulnerabilities.

Users of this document are the IT, development and support teams and all users of Accellier equipment.

There are currently 2 areas of focus for technical vulnerability management:

1)     Desktop

2)     Cloud Infrastructure

2.    Definitions

The following definitions may be used in the current or future versions of this policy.

Vulnerability ​- a vulnerability is an unhandled outcome in a program or system that can potentially be exploited to adversely impact a computer system.

Exploit - software that is written usually by attackers which leverages a vulnerability to circumvent security controls and could install unauthorised software (potentially Malware).

Malware ​- this is meant to be any type of software which has been written with the intention to adversely impact the Confidentiality, Integrity and Availability of systems or data.

Patch ​- also referred to as a software update. From time-to-time software vendors will release updates in the form of ‘patches’ to ensure their software is not susceptible to vulnerabilities.

Threat Vector - the method that an exploit is deployed. This includes but is not limited to:

●                Phishing

●                Trojan Software

●                Malicious websites

●                Open/Untrusted Wi-Fi Networks

Criticality - vulnerabilities are given an International Score based on the Common Vulnerability Scoring System (CVSS). It is a mathematical formula based on Impact, if a patch is available and attack complexity amongst others. The result is a score between 1 and 10, 10 being the most critical.

3.    Patching

Periodic planned patching should be performed for all infrastructure components.

3.1.         Risk/Priority/Timeline

Discovered vulnerabilities will normally be managed in the tools used to discover them e.g. Pen Test Portals etc. These tools may categorise the risk level of vulnerabilities slightly differently but will typically identify Critical, High, Medium and Low Risks. The infrastructure team will prioritise patching according to these risk levels and other mitigating factors.

Where CVSS scores are known, the IT team may also make reference to the Cyber Essentials recommendations below.

●       0 - None

●       0.1 -> 3.9 - Low

●       4.0 -> 6.9 - Medium

●       7.0 -> 8.9 - High

●       9.0 -> 10.0 - Critical

4.    Vulnerability Scanning

Periodic Vulnerability Scans should be carried out against standard PC/Laptop builds and all development and production infrastructure.

5.    Desktop

5.1.         User Responsibility

It is the responsibility of ALL Accellier Staff/Users to keep all software on their personal computer, including browser extensions, patched and up to date. If a user is aware of a patch that is required but they are unable to do it, they MUST immediately escalate this to the IT Team.

5.2.         Restarting Devices

In line with the Clear Screen Policy, the user is responsible for powering off their laptop each day when not in use.  This also ensures that software updates can be applied to mitigate security vulnerabilities.

5.3.         Awareness Training

Security awareness training is delivered to all employees as part of the induction process and refreshed annually. Training includes how to identify potential malware threats and how to report a potential security incident.

6.    Tracking and Verification

All outstanding vulnerabilities should be reviewed at least monthly. Any high risk vulnerabilities must be reported to the Board of Directors.

Where vulnerabilities have been identified by a vulnerability scan or penetration test, the remediation actions should be verified as effective by retesting/rescanning.

7.    Document management

This policy shall be available to all Accellier Employees and any Third Parties where required. The policy must be reviewed and, if necessary, updated at least once a year. Notice of significant revisions shall be provided to Accellier Employees via email.

8.    Version history