Objectives for Vulnerability Assessment & Management SOP:
This document establishes the Standard Operating Procedure (SOP) for performing Infrastructure Vulnerability Assessments and remediation of identified vulnerabilities.
A Vulnerability Management process is a part of an organization’s effort to control information security risks to its systems. The objective of vulnerability management is to detect and remediate vulnerabilities in a timely fashion. This process is an imperative part of the Organization’s computer and network security posture.
To know more about What is VAPT | Stages of VAPT | Why VAPT needed? Click here – What is VAPT – Vulnerability Assessment and Penetration Testing?
This process includes the following broad steps to manage vulnerabilities in Network. Below is the outline process diagram:
Scope for Vulnerability Assessment & Management SOP:
This procedure is applicable to all the Servers and Network Devices across any organization and the personnel involved in the Vulnerability Management effort as described by this document.
Vulnerability Assessment & Management SOP Process Flow Chart:
Detailed Steps & Process Requirements for Vulnerability Assessment & Management SOP:
I. Preparation
- Assets identification using asset inventories shared by the BUs.
- Assets addition and Asset group creation in the Scanning Tool.
- Configuring the Scan policy for the Asset group for which scanning required.
- Before initiating the scans, if required, share the scan schedule information with the teams managing firewalls, IDS or other security monitoring systems and the assets being scanned. This communication includes the Source and destination IP Addresses and schedule.
II. Assessment:
- Review the Scan policy configuration
- Launch the Vulnerability scan.
- All the scans shall be authenticated scans unless otherwise communicated
- All in-scope assets are to be subjected to authenticated scans
- Wherever required, On-demand scans shall be performed along with the Scheduled scans as per annual plan.
III. Reporting:
- Generate and review the Vulnerability Scan report.
- Prepare remediation plan and send to concerned teams along with the report (such as Server support, Network team etc) for remediation.
- The scan report must be shared with password protection with the password shared over a different medium.
IV. Remediation
- Follow up with the asset/action owner teams regarding remediation actions in order to keep track of their implementation status.
- Raise escalations as per the escalation matrix of the asset/action owner teams whenever Critical and High vulnerabilities aren’t fixed within stipulated time.
V. Verification
- Once the remediation is done, asset/action owner teams shall notify VM team.
- Re-launch scan with the same policies and configuration on the same asset group to check if the vulnerabilities are fixed.
- If any of the vulnerabilities are not fixed, VM team shall share the report with the concerned asset/action owner team to fix as per the recommendations
Approved Scanning Tools:
The GRC department within the Security division is responsible for implementation and operating an Enterprise Vulnerability Scanning tool.
Use of any other vulnerability scanner on a network must have a documented justification and requires an Exception approved by the GRC department head.
Retention Policy:
Scan results are to be retained for a minimum of 12 months, in absence of any other requirements requiring retention beyond this period.
Asset Groups:
Asset groups can be created as per the organization’s requirements such as Critical Assets, Windows, Linux, etc.
Assessment schedule:
Vulnerability Assessment schedule should be created as per the organization’s requirements and capability.
Roles and Responsibilities:
The following matrix describes the responsibilities associated with activities in this procedure. Below can be changed as per the organization’s policies.
RACI Matrix:
(R – Responsible; A – Accountable; C – Consulted; I – Informed)
| Policy Statement | CISO | GRC Dept. Head | VA Team | System Owner | Technical/ Process Owner |
| 1.Establish VM process | I | A | R | I | I |
| 2. Define VM roles and responsibilities | I | A, C | R | I | I |
| 3. Asset inventory input to VM | I | A | R | C | C |
| 4. VA for newly developed internally or vendor-provided systems | I | C | R | A | R |
| 5. Perform Vulnerability Scans | I | A | R | C | C |
| 6. Implementation of minimum baseline security | I | I | C | A | R |
| 7. Usage of VA tools | I | C | A | R | R |
| 8. VA Scanning hours | I | C | R | A | C |
| 9. Protection of VA reports | I | A | R | R | R |
| 10. Remediation of vulnerabilities | I | C | C | A, R | R |
| 11. Vulnerability subscription service | I | A | R | I | C |
| 12. Patching/apply controls | I | I | C | A | R |
| 13. Post remediation review | I | A | R | C | C |
Enforcement:
All enforcements are as per the Information Security Policies.
References:
- ISO27001:2013
- Other Best practices
Service Level Agreement (SLA):
Remediation of vulnerabilities should be done as per the SLA defined by GRC department or organization policy.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.