Add vulnerability management SLAs and scanning schedule
This commit is contained in:
parent
4b3192bc0f
commit
a9f8e7a1bd
1 changed files with 27 additions and 0 deletions
27
procedures/vulnerability-management.md
Normal file
27
procedures/vulnerability-management.md
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
# Vulnerability Management Procedure
|
||||
|
||||
**Version:** 1.1 | **Owner:** AppSec | **Classification:** Internal
|
||||
|
||||
## SLAs
|
||||
|
||||
| Severity | Remediation SLA | Exceptions |
|
||||
|----------|----------------|-----------|
|
||||
| Critical (CVSS 9–10) | 24 hours | CISO approval required |
|
||||
| High (CVSS 7–8.9) | 7 days | Manager approval |
|
||||
| Medium (CVSS 4–6.9) | 30 days | Standard process |
|
||||
| Low (CVSS 0–3.9) | 90 days | Best effort |
|
||||
|
||||
## Scanning schedule
|
||||
|
||||
- External attack surface: daily (automated, Qualys)
|
||||
- Internal network: weekly
|
||||
- Container images: on every CI build
|
||||
- Dependencies: on every PR (Dependabot)
|
||||
|
||||
## Exception process
|
||||
|
||||
Exceptions require:
|
||||
1. Business justification
|
||||
2. Compensating controls documented
|
||||
3. Sign-off from CISO
|
||||
4. Re-review in 30 days
|
||||
Loading…
Reference in a new issue