Door IT has established a formal policy and supporting procedures concerning vulnerability management. This policy is to be implemented immediately. It will be evaluated on an annual basis for ensuring its adequacy and relevancy regarding Door IT’ needs and goals.
Security patch management (vulnerability management) has become a critical security issue due in large part to the exploitation of information technology systems from numerous external and internal sources. Consequently, all system components directly associated with the Door platform must be securely hardened and configured with all necessary and appropriate patches and system updates for preventing the exploitation or disruption of mission-critical. Similarly, all IT resources not directly associated with the Door platform must also be securely hardened and configured with all necessary and appropriate patches and system updates in order to prevent the exploitation or disruption of mission-critical services. In accordance with best practices for security patch management, the subsequent three (3) security concerns will be highlighted throughout the Security Patch Management policy.
They are as follows (NIST, n.d.):
Vulnerabilities: Software flaws or a misconfiguration that may potentially result in the weakness in the security of a system within the system components directly associated with the Door platform or any other IT resources.
Remediation: The three (3) primary methods of remediation are (1) installation of a software patch, (2) adjustment of a configuration setting and (3) removal of affected software.
Threats: Threats are capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and potentially cause harm to a computer system or network. Common examples are scripts, worms, viruses and Trojan horses. Failure to keep system components and other IT resources patched securely and on a consistent basis can cause unwanted damage to all environments directly associated with the Door platform. This includes but is not limited to the following:
Comprehensive inventory of all system components directly associated with the Door platform.
Comprehensive inventory of all other IT resources not directly associated with the Door platform.
Subscribing to industry-leading security sources, additional supporting resources for vulnerability announcements and other security patch management alerts and issues.
| Source | URL |
|---|---|
| Microsoft Technet | https://technet.microsoft.com/security/bulletin |
| Microsoft Knowledgebase | https://support.microsoft.com/en-us/search |
| Common Vulnerabilities and Exposures | https://cve.mitre.org |
| US-CERT | https://www.us-cert.gov |
| NIST Computer Security Division | https://csrc.nist.gov/ |
| CVE Details | www.cvedetails.com |
Email Newsletter subscriptions:
Vulnerabilities will be assessed on a case-by-case basis against the risk rating and/or CVSS (detailed below). Assessment will include but is not limited to (1) the significance of the threat, (2) the existence and overall threat of the exploitation and (3) the risks involved in applying security patch management procedures (its effect on other systems, resources available and resource constraints).
Ratings below:
| Rating | Definition |
|---|---|
| Critical | Vulnerabilities that score in the critical range usually have most of the following characteristics: - Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices. - Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions. |
| High | Vulnerabilities that score in the high range usually have some of the following characteristics: - The vulnerability is difficult to exploit. - Exploitation could result in elevated privileges. - Exploitation could result in a significant data loss or downtime. |
| Medium | Vulnerabilities that score in the medium range usually have some of the following characteristics: - Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.Denial of service vulnerabilities that are difficult to set up. - Exploits that require an attacker to reside on the same local network as the victim. - Vulnerabilities where exploitation provides only very limited access. - Vulnerabilities that require user privileges for successful exploitation. |
| Low | Vulnerabilities in the low range typically have very little impact on an organization’s business. Exploitation of such vulnerabilities usually requires local or physical system access. |
| CVSS Score | Priority |
|---|---|
| 0-5 | Low |
| 5-7 | Medium |
| 7-9 | High |
| 9-10 | Critical |
Vulnerability scans will be performed daily using NIST-approved tools and methodologies, as per NIST Special Publication (SP) 800-53 Revision 5 and NIST SP 800-115 or their successors. The scans must include both internal and external systems and services, as well as web applications.
Vulnerabilities identified during the scanning process must be assessed and prioritized according to their severity, potential impact, and exploitability, following the guidelines in NIST SP 800-30 Revision 1 or its successor. The Common Vulnerability Scoring System (CVSS) will be used to assign a score to each vulnerability.
Remediation efforts, including patch management, must be implemented according to the priority levels assigned to vulnerabilities. The organization must adhere to NIST SP 800-40 Revision 3 or its successor for patch management best practices.
In cases where remediation is not feasible or practical, the organization may accept the risk associated with a vulnerability, subject to the approval of the Information Security Officer (ISO) and documented risk acceptance procedures.
All vulnerability management activities, including scanning results, assessments, remediation efforts, and risk acceptance decisions, must be documented and reported to the ISO. Records must be retained in accordance with the organization’s record retention policy and NIST guidelines.
This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months.