Controls

Terug naar overzicht
Version

SB.18.001 Vulnerability Registration and Resolution

Low
Low
Low
System Owner
v2.0 (Q1 2024)
Vulnerability Management

Description

A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken and the current status of the vulnerability. Vulnerabilities can be ‘resolved’, ’mitigated’ or ‘accepted’. If the vulnerability is ‘mitigated’, a new risk estimation needs to be done for the mitigating measures in place.

After resolution, resolved vulnerabilities need to remain registered for 1 year.

The organisation shall establish maximum resolution time of vulnerabilities based on the associated risk. There is monitoring on the timely resolution of vulnerabilities.

Specification

Vulnerabilities are scanned and reported with a vulnerability scanner from a preferred supplier. System owners can ask for access to administer detected vulnerabilities. All production servers must be connected to this central scanning solution.

Vulnerabilities are treated based on the risk-estimate of found vulnerabilities according to the CVSS score of the vulnerability and their the estimate of the risk-context:

Risk-context
Critical Medium  High    Critical Critical
High     Low     Medium  High     Critical
Medium   Low     Medium  Medium   High
Low      Low     Low     Medium   Medium

Low     Medium  High     Critical
[0-3.9] [4-6.9] [7-8.9]  [9-10]
CVSS-Score of the vulnerability

For external suppliers, the risk-context is the highest of the AIC-ratings of the classification (where Low = Low, Basic = Medium, Sensitive = High and Critical = Critical).

If CVSS-score is not yet available, a professional estimation is made based on the ease of exploitation, exposure of the vulnerability, observed exploitation internally and externally and the potential impact of the vulnerability.

Vulnerabilities need to be resolved depending on their risk-estimate and the following resolution times:

Risk-estimate Maximum resolution time
Critical 3 working days
High     2 weeks
Medium   3 months
Low      Best effort