Vulnerability Patch Management
April 9, 2011This document only outlines the process for patch management in response to vulnerabilities discovered out of the regular patch management process. The operations teams should follow the normal change management process to implement the changes recommended by the Threat Response Team unless otherwise notified via the Helpdesk system. If an urgent change is required that is an exception to the normal change management process then the Threat Response Team (Threat Response Team) will provide the necessary justifications to the Operations teams that can be further presented to the Change Control Board.
Roles and Responsibilities
Corporate Information Security, Governance / Risk and Compliance – The Global Information Security team will ensure that, all exceptions where vulnerability cannot be remediated due to business reasons, the exceptions are recorded appropriately in the Risk Register as per Corporate Information Security policies.
Corporate Information Security / Threat Response Team – The Threat Response Team will analyze the reports generated by the VA Assessment scans on a periodic basis for prioritizing the remediation effort.
IT Security Operations – The Security Operations team will create and schedule scans as per Corporate Information Security vulnerability management policies and other regulatory requirements. With respect to VA Assessment, the Security Operations team will be the point of contact for escalations to the vendor and other product related maintenance issues. Security Operations will own the remediation to the extent of assigning tickets to the appropriate Operations teams if the relevant operations team is known or of identifying the team that can patch the vulnerability. Once the Operations team has implemented the recommended change, the Security Operations team will need to reconcile the changes implemented with the recommended changes and escalate any differences noticed thereof to Threat Response Team.
IT Operations teams – All Operations teams within IT will be responsible for the remediation of the devices, Operating systems and applications maintained by the particular Ops team. When assigned a ticket in response to a vulnerability discovered in the infrastructure, the Ops team will evaluate the vulnerability to determine if it is applicable in Corporate environment and take necessary steps, within the normal change management process, to remediate the vulnerability. All feedback and plans about vulnerability remediation should be submitted to Security Operations.
Business Owner – The Business Unit that owns the service/application/device will determine the business impact and provide details of the remediation window available for the Ops team to patch the vulnerability. If the Business Unit does not want the vulnerability patched for any reason, the Business Unit owner will work with Corporate Information Security to fill out the risk register and accept the risk arising from exploitation of the vulnerability.
www.bestitdocuments.com