Vulnerability Management Policy
Last Updated: 3rd January, 2020
This document is an adaptation of the ImgBot Vulnerability Management Policy, which is an adaptation of the Vulnerability Management Policy created by Tech Republic.
It is Typo CI's responsibility to provide a secure network environment for Typo CI's applications, staff, business partners, and contractors. As part of this goal, it is Typo CI's policy to ensure all computer devices (including servers, desktops, phones, printers, etc.) connected to Typo CI's network have proper virus protection software, current virus definition libraries, and the most recent operating system and security patches installed.
Typo CI staff will monitor security mailing lists, review vendor notifications and Web sites, and research specific public Web sites for the release of new patches. Monitoring will include, but not be limited to, the following:
- Dependabot notifications for all Typo CI related code.
- GitHub security notifications for all Typo CI related code.
- Scanning Typo CI related code to identify known vulnerabilities.
- Repositories and Web sites of all partners and vendors.
Review and evaluation
Once alerted to a new patch, Typo CI staff will review the new patch within 24 hours of receiving the notification. Typo CI's staff will categorize the criticality of the patch according to the following:
- Emergency - an imminent threat to Typo CI's users
- Critical - targets a security vulnerability
- Not Critical - a standard patch release update
- Not applicable to Typo CI's environment
Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment that includes assessing the risk, testing, scheduling, installing, and verifying.
Risk assessment and testing
Typo CI staff will assess the effect of a patch prior to its deployment. Typo CI staff will also assess the affected patch for criticality relevant to each platform.
If Typo CI staff categorizes a patch as an Emergency, it is considered as an imminent threat to Typo CI's users. Therefore, Typo CI assumes greater risk by not implementing the patch than waiting to test it before implementing. In this case, Typo CI's service will be suspended until a patch has been integrated and deployed, at this point the service will resume.
Patches deemed Critical or Not Critical will undergo testing for each affected platform before release for implementation. Typo CI staff will expedite testing for critical patches. Typo CI staff must complete validation against all environments prior to implementation.
Typo CI staff will deploy Emergency patches within eight hours of availability. As Emergency patches pose an imminent threat to Typo CI's users, the release may proceed testing. In all instances, the Typo CI staff will perform testing (both automated and post-implementation) and document it for auditing and tracking purposes.
Critical patches and non-critical patches will be released as they are integrated. The Typo CI service will remain running during the integration, testing, and verifying phases of these patches.
Auditing, assessment, and verification
Following the release of all patches, Typo CI staff will verify the successful installation of the patch and that there have been no adverse effects.
User responsibilities and practices
It is the responsibility of each user - both individually and within the organization - to ensure prudent and responsible use of computing and network resources.