Vulnerability Management Policy

Vulnerability Management Policy

SOC2 CertificationNetspective Unified Process
 

The Vulnerability Management Policy outlines the guidelines and procedures for the management of Vulnerability Management within the Netspective Communications LLC. [FII-SCF-027-VPM-01.1] [FII-SCF-027-VPM-01]

  • All systems must be scanned for vulnerabilities before being installed in production and periodically thereafter. [FII-SCF-027-VPM-02]

  • All systems are subject to periodic penetration testing. [FII-SCF-027-VPM-04]

  • Penetration tests are required periodically for all critical environments/systems. [FII-SCF-027-VPM-06]

    Vulnerability Scan/Penetration Tests Reports

  • Where the entity has outsourced a system to another entity or a third party, vulnerability scanning/penetration testing must be coordinated.

  • Scanning/testing and mitigation must be included in third party agreements.

  • The output of the scans/penetration tests will be reviewed in a timely manner by the system owner. Copies of the scan report/penetration test must be shared with the ISO/designated security representative for evaluation of risk.

    Vulnerability Scan/Penetration Tests Reports

  • Appropriate action, such as patching or updating the system, must be taken to address discovered vulnerabilities. For any discovered vulnerability, a plan of action and milestones must be created, and updated accordingly, to document the planned remedial actions to mitigate vulnerabilities.

  • Any vulnerability scanning/penetration testing must be conducted by individuals who are authorized by the ISO/designated security representative. The CISO must be notified in advance of any such tests. Any other attempts to perform such vulnerability scanning/penetration testing will be deemed an unauthorized access attempt.

  • Anyone authorized to perform vulnerability scanning/penetration testing must have a formal process defined, tested and followed at all times to minimize the possibility of disruption.

    Vulnerability Scan/Penetration Tests Reports

  • Integrate GitLab SAST Analyzer tool actively into the software development lifecycle to identify vulnerabilities. [FII-SCF-027-VPM-01.1]

  • Perform GitLab SAST Analyzer tool scans before deployment and regularly thereafter to maintain ongoing security. [FII-SCF-027-VPM-06]

  • Prioritize and address remediation efforts by documenting and reviewing GitLab SAST Analyzer tool results with the development, security, and management teams. [FII-SCF-027-VPM-02]

  • Actively utilize GitLab Secret Detection Scanner tools to identify and prevent the inclusion of sensitive information, such as access credentials and API keys, in the source code or configuration files. [FII-SCF-027-VPM-01.1]

  • Regularly scan source code repositories, configuration files, and other relevant code repositories using GitLab Secret Detection Scanner tools to detect and address any instances of exposed secrets. [FII-SCF-027-VPM-06]

  • Promptly report any identified secrets to the respective developers or administrators for immediate remediation upon detection by the GitLab Secret Detection Scanner tools. [FII-SCF-027-VPM-02]

Approved by
Ajay Kumaran Nair on July 4, 2023 |
Last Updated by
Arun K R on July 4, 2023