Vulnerability Management Policy

Last Updated: 3rd January, 2020

This document is an adaptation of the ImgBot Vulnerability Management Policy, which is an adaptation of the Vulnerability Management Policy created by Tech Republic.

Goal

It is Typo CI's responsibility to provide a secure network environment for Typo CI's applications, staff, business partners, and contractors. As part of this goal, it is Typo CI's policy to ensure all computer devices (including servers, desktops, phones, printers, etc.) connected to Typo CI's network have proper virus protection software, current virus definition libraries, and the most recent operating system and security patches installed.

Monitoring

Typo CI staff will monitor security mailing lists, review vendor notifications and Web sites, and research specific public Web sites for the release of new patches. Monitoring will include, but not be limited to, the following:

Review and evaluation

Once alerted to a new patch, Typo CI staff will review the new patch within 24 hours of receiving the notification. Typo CI's staff will categorize the criticality of the patch according to the following:

Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment that includes assessing the risk, testing, scheduling, installing, and verifying.

Risk assessment and testing

Typo CI staff will assess the effect of a patch prior to its deployment. Typo CI staff will also assess the affected patch for criticality relevant to each platform.

If Typo CI staff categorizes a patch as an Emergency, it is considered as an imminent threat to Typo CI's users. Therefore, Typo CI assumes greater risk by not implementing the patch than waiting to test it before implementing. In this case, Typo CI's service will be suspended until a patch has been integrated and deployed, at this point the service will resume.

Patches deemed Critical or Not Critical will undergo testing for each affected platform before release for implementation. Typo CI staff will expedite testing for critical patches. Typo CI staff must complete validation against all environments prior to implementation.

Implementation

Typo CI staff will deploy Emergency patches within eight hours of availability. As Emergency patches pose an imminent threat to Typo CI's users, the release may proceed testing. In all instances, the Typo CI staff will perform testing (both automated and post-implementation) and document it for auditing and tracking purposes.

Critical patches and non-critical patches will be released as they are integrated. The Typo CI service will remain running during the integration, testing, and verifying phases of these patches.

Auditing, assessment, and verification

Following the release of all patches, Typo CI staff will verify the successful installation of the patch and that there have been no adverse effects.

User responsibilities and practices

It is the responsibility of each user - both individually and within the organization - to ensure prudent and responsible use of computing and network resources.