Vulnerability Management

Before go-live of new IT services, and after major updates and changes, a penetration test of the information security needs to be performed by a trusted security party. For externally performed pentests, organisational security staff assesses the management summaries of a recent pentest results and the follow-up to findings.The management summary contains at least which party performed the test, when the test was performed, what the scope of the test was, the number of vulnerabilities that were found and their associated risks. The re-test results are also inspected.

The (web-)application is subject to automated vulnerability scanning at least once per quarter. Scanning occurs authenticated as much as possible.

Network connected IT systems are subjected to automatic vulnerability scanning at least once per month. Scanning occurs authenticated where possible.

The organization has a published Coordinated Vulnerability Disclosure Policy to encourage security researchers and individuals to ethically find and report vulnerabilities.

A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken and the current status of the vulnerability. Vulnerabilities can be ‘resolved’, ’mitigated’ or ‘accepted’. If the vulnerability is ‘mitigated’, a new risk estimation needs to be done for the mitigating measures in place. After resolution, resolved vulnerabilities need to remain registered for 1 year. The organisation shall establish maximum resolution time of vulnerabilities based on the associated risk. There is monitoring on the timely resolution of vulnerabilities.