Add vulnerability management SLAs and scanning schedule
This commit is contained in:
parent
4b3192bc0f
commit
a9f8e7a1bd
1 changed files with 27 additions and 0 deletions
27
procedures/vulnerability-management.md
Normal file
27
procedures/vulnerability-management.md
Normal file
|
|
@ -0,0 +1,27 @@
|
||||||
|
# Vulnerability Management Procedure
|
||||||
|
|
||||||
|
**Version:** 1.1 | **Owner:** AppSec | **Classification:** Internal
|
||||||
|
|
||||||
|
## SLAs
|
||||||
|
|
||||||
|
| Severity | Remediation SLA | Exceptions |
|
||||||
|
|----------|----------------|-----------|
|
||||||
|
| Critical (CVSS 9–10) | 24 hours | CISO approval required |
|
||||||
|
| High (CVSS 7–8.9) | 7 days | Manager approval |
|
||||||
|
| Medium (CVSS 4–6.9) | 30 days | Standard process |
|
||||||
|
| Low (CVSS 0–3.9) | 90 days | Best effort |
|
||||||
|
|
||||||
|
## Scanning schedule
|
||||||
|
|
||||||
|
- External attack surface: daily (automated, Qualys)
|
||||||
|
- Internal network: weekly
|
||||||
|
- Container images: on every CI build
|
||||||
|
- Dependencies: on every PR (Dependabot)
|
||||||
|
|
||||||
|
## Exception process
|
||||||
|
|
||||||
|
Exceptions require:
|
||||||
|
1. Business justification
|
||||||
|
2. Compensating controls documented
|
||||||
|
3. Sign-off from CISO
|
||||||
|
4. Re-review in 30 days
|
||||||
Loading…
Reference in a new issue