Vulnerability Management Policy Template
Vulnerability Management Policy Template
Download your free copy now
Adopting a full set of information security policies is a critical step in ensuring that every department and employee understands their role in helping protect company, customer, and employee data.
Please use these policy templates as a way to get your organization on the right track when it comes to full policy creation and adoption.
System updates, patches, scanning, endpoint protection, and more all help an organization understand and mitigate vulnerabilities that may exist in within its IT environment. Establish rules for mitigating vulnerabilities with this vulnerability management policy.
The purpose of the (Company) Vulnerability Management Policy is to establish the rules for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them.
The (Company) Vulnerability Management Policy applies to individuals who are responsible for Information Resource management.
Table of Contents
Endpoint Protection (Anti-Virus & Malware)
- All (Company) owned and/or managed Information Resources must use the (Company) IT management approved endpoint protection software and configuration.
- All non-(Company) owned workstations and laptops must use (Company) IT management approved endpoint protection software and configuration, prior to any connection to a (Company) Information Resource.
- The endpoint protection software must not be altered, bypassed, or disabled.
- Each email gateway must utilize (Company) IT management approved email virus protection software and must adhere to the (Company) rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
- Controls to prevent or detect the use of known or suspected malicious websites must be implemented.
- All files received over networks or from any external storage device must be scanned for malware before use.
- Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to (Company) IT Support.
Logging & Alerting
- Documented baseline configurations for Information Resources must include log settings to record actions that may affect, or are relevant to, information security.
- Event logs must be produced based on the (Company) Logging Standard and sent to a central log management solution.
- A review of log files must be conducted periodically.
- All exceptions and anomalies identified during the log file reviews must be documented and reviewed.
- (Company) will use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
- Log files must be protected from tampering or unauthorized access.
- All servers and network equipment must retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent.
- All log files must be maintained for at least one year.
- The (Company) IT team maintains overall responsibility for patch management implementation, operations, and procedures.
- All Information Resources must be scanned on a regular basis to identify missing updates.
- All missing software updates must be evaluated according to the risk they pose to (Company).
- Missing software updates that pose an unacceptable risk to (Company) Information Resources must be implemented within a time period that is commensurate with the risk as determined by the (Company) Vulnerability Management Standard.
- Software updates and configuration changes applied to Information Resources must be tested prior to widespread implementation and must be implemented in accordance with the (Company) Change Control Policy.
- Verification of successful software update deployment will be conducted within a reasonable time period as defined in the (Company) Vulnerability Management Standard.
- Penetration testing of the internal network, external network, and hosted applications must be conducted at least annually or after any significant changes to the environment.
- Any exploitable vulnerabilities found during a penetration test will be corrected and re-tested to verify the vulnerability was corrected.
- Vulnerability scans of the internal and external network must be conducted at least quarterly or after any significant change to the network.
- Failed vulnerability scan results rated at Critical or High will be remediated and re-scanned until all Critical and High risks are resolved.
- Any evidence of a compromised or exploited Information Resource found during vulnerability scanning must be reported to the (Company) Information Security Officer and IT support.
- Upon identification of new vulnerability issues, configuration standards will be updated accordingly.
See Appendix A: Definitions
- ISO 27002: 12, 18
- NIST CSF: PR.IP, PR.PT, DE.AE, DE.CM, RS.MI
- Incident Management Policy
- Change Control Policy
- Logging Standard
- Vulnerability Management Standard
Waivers from certain policy provisions may be sought following the (Company) Waiver Process.
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.