Introduction

Vulnerability Management is the discipline of analyzing company systems to identify known vulnerabilities for risk assessment and action. This standard codifies expectations for managing vulnerabilities on systems operated by Connor Group IT. This standard exists as one in a set of documents which together, form Connor Group's Information Security Management System (ISMS).

Purpose

The purpose of this Standard is to ensure:

Connor Group IT Systems, Services and Third-Party devices connected to Connor Group networks/resources are maintained in a secure manner and protected against the exploitation of any security vulnerabilities; and
Any disruptions to Connor Group caused by security vulnerabilities are minimized.

Scope

This Standard applies to IT systems managed or accessed by Connor Group, including both physical and virtual desktops, laptops, servers, handhelds, and third-party systems utilized by CG employees for business purposes.

This Standard defines the term “IT Systems” in-scope to include:

Applications (e.g., Outlook, Slack, Adobe, Java)
Operating Systems (e.g., Linux/Solaris/Windows)
Network Devices (e.g., Switches/Routers/Firewalls)
Servers, both physical and virtual
Desktop Systems, both physical and virtual
Storage Solutions (e.g. File servers, NAS)
Removable Media (e.g. MicroSD cards, USB drives)
IoT devices operating on Connor Group networks

All staff and Third Parties responsible for the management of IT Systems must understand and follow the requirements herein.

In the event of uncertainty regarding the applicability of this Standard, contact Information Security for clarification and/or guidance at [email protected].

Definitions

References for terminologies or acronyms used within Information Security Standards can be accessed within the Glossary of Definitions (https://helpdesk.connorgp.com/a/solutions/articles/11000097565)

Standard

Adherence to requirements in this standard is mandatory.

1. Vulnerability Management requirements

Ref	Requirement
1.1	Connor Group shall maintain a regularly updated inventory of assets to include physical and software components. The inventory will include at a minimum: I. Software Business Owner, vendor, and version number; II. Hardware serial, assigned location and owner;
1.2	Connor Group Information Security shall define and establish roles and responsibilities associated with:
	I. Tracking technical vulnerabilities which may affect systems identified in the asset register;
	II. Assessing risk posed by the vulnerability in accordance with the Risk Management Standard;
	III. Monitoring and tracking the application of patches to the relevant Systems and ensuring the asset register is updated as appropriate;
	IV. Integration with the Organization's Change Control function and providing authorization to process;
	V. Applying the patches upon an authorized request.
1.3	The Tracking of technical vulnerabilities shall include a review from either:
	I. A dedicated, commercial organization providing such a service; or
	II. Multiple organizations and vendors who may provide the service for free (such as Bugtraq / CERT mailing lists, etc.).
1.4	A timeline from notification of a vulnerability to implementation of a control shall be based upon a risk assessment which considers the impact of implementation as well as the impact from non-implementation.
1.5	The risk assessment shall drive the threat & vulnerability assessment, which shall then drive control selection. Information Security shall have the scope to apply mitigating controls in lieu of patching.
1.6	Security patches and security updates shall be implemented in accordance with the Connor Group Security Patching Standard and other Operational Control procedures for software installation.
1.7	A record of security patches shall be maintained with the relevant System record.
1.8	Where a security patch does not address a vulnerability, the following controls should be considered:
	I. Turn off Services or capabilities related to the vulnerability;
	II. Strengthen or add access controls, e.g. firewalls at network borders;
	III. Increased monitoring and response plans to detect attacks and compromise
1.9	The Vulnerability Management process shall be monitored and evaluated regularly to ensure effectiveness and efficiency.
1.10	The Vulnerability Management process shall be aligned with Incident Management activities as described in the Security Incident Management Standard to allow open communications on vulnerabilities for the incident response function as well as provide technical procedure execution, should an incident occur.
1.11	Applications in development must undergo appropriate assurance, including penetration testing, for vulnerabilities or security flaws prior to handover to test and production environments, in line with the Connor Group Secure Software Development Lifecycle Standard.

2. Vulnerability and Penetration Testing

Ref	Requirement
2.1	Internal and external vulnerability scans covering all externally facing systems and other key internal Systems shall be performed by a qualified internal or external resource on a regular basis and after any significant network or system changes.
2.2	The vulnerability scanning process will include rescans until passing results are obtained, or an accepted risk profile is obtained.
2.3	Penetration testing covering all externally facing Systems and other key internal Systems (as defined by Information Security) shall be performed at least annually by a qualified external party and after any significant infrastructure or application upgrade or modification.
2.4	Information Security shall define the scope of penetration tests in coordination with the business.
2.5	Any exploitable vulnerabilities identified as high or critical are to be corrected and the exploit test repeated to confirm remediation.
2.6	Internal penetration tests are to be performed by a qualified internal resource or qualified external Third-Party.
2.7	The Connor Group Information Security Team shall provide the process to detect and identify wireless access points on a quarterly basis. This process will identify any unauthorized wireless access points including:
	I. WLAN cards inserted into system components.
	II. Portable wireless devices connected to system components (by USB, for example).
	III. Wireless devices attached to a network port or network device.
2.8	Any detected unauthorized wireless devices shall be managed in line with Connor Group’s Incident Management Standard.

Compliance

Information Security team shall verify compliance to this policy through various methods, including but not limited to, walk-throughs, environment sampling, process review, monitoring, business tool reports, internal and external audits, and through feedback to the policy owner.

Any exceptions to this Standard require a formally approved exemption documenting justification and approval against compliance to this Standard. Exemption approvals are required prior to systems entering live operations or remaining online after the remediation plan grace period has expired.

The following are required to adhere to this Standard, except where a formal exception has been granted as above:

All Connor Group Systems and employees, independent contractors, and subcontractors. Any individual found to have violated this Standard may be subject to disciplinary actions including termination and legal recourse.
Any Third-Party System that is used to support Connor Group data and/or Services. Any Third Party that violates this Standard will be considered to have breached their contract with the Connor Group.

Revision History

Revisions require approval by the Director of Information Security and dissemination to applicable business units prior to release.

Version	Detail	Author	Date
1.1	Formatting revised with requirements under Standards enumerated for easier reference.	Connor Group Information Security	June 2021
1.2	Annual review with minor changes for clarity.	Connor Group Information Security	Jan 2024

Connor Group

Standard-VulnerabilityManagement

Modified on: Wed, Feb 21, 2024 4:21 PM