security-policy-as-code-framework-model

1. Overview

This policy defines the requirements for a continuous vulnerability management program to identify, assess, remediate, and report on security vulnerabilities in a timely manner. The goal is to reduce the organization’s attack surface and mitigate risk.

2. Scope

This policy applies to all company-owned or managed assets, including servers, workstations, network devices, applications, and cloud infrastructure.

3. Policy Statements

• PS-1: Asset Inventory: A complete and accurate inventory of all assets in scope must be maintained to ensure comprehensive vulnerability scanning.
• PS-2: Vulnerability Scanning: All in-scope assets must be scanned for vulnerabilities in accordance with the vulnerability-scanning-standard.md.
• PS-3: Risk Rating: All identified vulnerabilities must be assigned a risk rating (e.g., Critical, High, Medium, Low) based on a combination of exploitability, impact, and other environmental factors. The CVSS (Common Vulnerability Scoring System) shall be used as a baseline.
• PS-4: Remediation Timelines: Vulnerabilities must be remediated within defined timelines based on their risk rating.
  • Critical: 15 days
  • High: 30 days
  • Medium: 90 days
  • Low: 180 days
• PS-5: Penetration Testing: The organization will conduct regular penetration tests against critical systems and applications to identify vulnerabilities not discoverable by automated scanners.

4. Roles and Responsibilities

• Security Engineering Team: Responsible for managing the vulnerability management program, including operating scanning tools and tracking remediation.
• Asset Owners: Responsible for ensuring that vulnerabilities identified on their assets are remediated within the defined timelines.
• Developers: Responsible for remediating vulnerabilities in the code they develop.
• IT Operations: Responsible for remediating vulnerabilities on infrastructure and operating systems.

5. Compliance

• Measurement: Compliance with this policy will be measured by tracking remediation SLAs, the age of open vulnerabilities, and the results of regular vulnerability scans and penetration tests.
• Exceptions: Any exception to the remediation timelines must be formally documented as a risk acceptance, including justification and mitigating controls, and approved by the CISO.
• Enforcement: Consistent failure to remediate vulnerabilities within the required timelines may result in system isolation or other risk-reduction measures.

Applicable Controls

• ISO 27001: A.12.6
• SOC 2: CC7.1
• NIST CSF: PR.IP-12