This document only outlines the process for patch management in response to vulnerabilities discovered out of the regular patch management process. The operations teams should follow the normal change management process to implement the changes recommended by the Threat Response Team unless otherwise notified via the Remedy Helpdesk system. If an urgent change is required that is an exception to the normal change management process then the Threat Response Team will provide the necessary justifications to the Operations teams that can be further presented to the Emergency Change Control Board.

Roles and Responsibilities

Infosec, Governance, Risk and Compliance – The GRC team will ensure that, all exceptions where vulnerability cannot be remediated due to business reasons, the exceptions are recorded appropriately in the Risk Register as per Infosec’s policies.

Infosec, Threat Response Team – The TRT will analyze the reports generated by the Qualys scans on a periodic basis for prioritizing the remediation effort.

IT, Security Operations – The SecOps team will create and schedule scans as per Infosec’s vulnerability management policies and other regulatory requirements. With respect to Qualys, the SecOps team will be the point of contact for escalations to the vendor and other product related maintenance issues. SecOps will own the remediation to the extent of assigning tickets to the appropriate Operations teams if the relevant operations team is known or of identifying the team that can patch the vulnerability. Once the Operations team has implemented the recommended change, the SecOps team will need to reconcile the changes implemented with the recommended changes and escalate any differences noticed thereof to TRT.

IT, Operations teams – All Operations teams within IT will be responsible for the remediation of the devices, Operating systems and applications maintained by the particular Ops team. When assigned a ticket in response to a vulnerability discovered in the infrastructure, the Ops team will evaluate the vulnerability to determine if it is applicable in Corporate environment and take necessary steps, within the normal change management process, to remediate the vulnerability. All feedback and plans about vulnerability remediation should be submitted to SecOps.

Business Owner – The BU that owns the service/application/device will determine the business impact and provide details of the remediation window available for the Ops team to patch the vulnerability. If the BU does not want the vulnerability patched for any reason, the BU owner will work with Infosec to fill out the risk register and accept the risk arising from exploitation of the vulnerability.