Vulnerability Management Policy

Introduction
Technical vulnerabilities are being discovered and exploited by malicious actors on a daily basis. Vendors are providing security patches and critical updates for supported products.

Objective
To protect against exploitation of technical vulnerabilities.

Scope
This policy applies to all internal and external facing systems and software including mobile devices, workstations, servers, firewalls, routers and network infrastructure.

Policy

• All systems and software will be patched and scanned for vulnerabilities on a monthly basis.
• All obsolete unsupported software will be removed.
• All new systems and software will be patched and tested before deployment.
• All patches and updates should be tested before general distribution.
• All external vulnerabilities with CVSS 4.0 or above must be remediated within 15 days.
• All internal vulnerabilities with CVSS 7.0 or above must be remediated within 30 days.
• External quarterly scans must be performed on all systems within PCI scope by an ASV.
• Internal and external penetration tests shall be run annually and after any significant change to the PCI environment.
• All updates, patches and remediation are subject to change management.
• Any exceptions must have compensating controls approved by management.

Guidance
Patches may be applied following Microsoft’s regular patch Tuesday release. Vulnerability scans should be performed subsequently to verify that patches have fixed known issues.

References
Secure configuration standard
Network security policy