A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken and the current status of the vulnerability. Vulnerabilities can be ‘resolved’, ’mitigated’ or ‘accepted’. If the vulnerability is ‘mitigated’, a new risk estimation needs to be done for the mitigating measures in place.
After resolution, resolved vulnerabilities need to remain registered for 1 year.
The organisation shall establish maximum resolution time of vulnerabilities based on the associated risk. There is monitoring on the timely resolution of vulnerabilities.
Specification
Vulnerabilities are scanned and reported with a vulnerability scanner from a preferred supplier. System owners can ask for access to administer detected vulnerabilities. All production servers must be connected to this central scanning solution.
Vulnerabilities are treated based on the risk-estimate of found vulnerabilities according to the CVSS score of the vulnerability and their the estimate of the risk-context:
Risk-context:
Critical Medium High Critical Critical
High Low Medium High Critical
Medium Low Medium Medium High
Low Low Low Medium Medium
Low Medium High Critical
[0-3.9] [4-6.9] [7-8.9] [9-10]
CVSS-Score of the vulnerability
For external suppliers, the risk-context is the highest of the AIC-ratings of the classification (where Low = Low, Basic = Medium, Sensitive = High and Critical = Critical).
If CVSS-score is not yet available, a professional estimation is made based on the ease of exploitation, exposure of the vulnerability, observed exploitation internally and externally and the potential impact of the vulnerability.
Vulnerabilities need to be resolved depending on their risk-estimate and the following resolution times:
Risk-estimate Maximum resolution time:
- Critical: 3 working days
- High: 2 weeks
- Medium: 3 months
- Low: Best effort
ISO 27001 & 27002:2022
A5.7,
A8.7,
A8.8,
A8.19
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.06 Patch management
SM.07 Threat en Vulnerability Management