Vulnerability Management
Vulnerability Management Policy
Screendesk's vulnerability management program ensures the confidentiality, integrity, and availability (CIA) of the organization's information systems landscape, which includes all critical system resources.
The Screendesk vulnerability management program addresses vulnerabilities and threats through remediation and control implementation. These terms are defined as follows:
Vulnerabilities: Software flaws or misconfigurations that may weaken the security of an organization's system
Threats: Capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and harm a computer system or network. Potential threats also include insider threats
Remediation: Means of addressing or resolving vulnerabilities and threats
Control implementation: The use of defined scanning and testing procedures to identify, communicate, and address vulnerabilities and threats
Chief components of the program include the following:
Configuration Standards
Screendesk establishes a secure information security baseline by provisioning, hardening, securing, and locking down all critical system resources through continuous monitoring and security patches.
Network Architecture
Screendesk develops secure network architecture and secure segmentation to prevent vulnerabilities.
Network Scanning and Monitoring
Screendesk follows internal and external vulnerability scanning procedures and conducts network layer and application layer penetration tests to manage vulnerabilities.
Vulnerabilities will be categorized by severity based on the following criteria:
Impact: The possible disruption to systems and business operations
Likelihood: The ease in which a vulnerability may be exploited
Compensating controls: The availability of network- or host-based methods of mitigation
The classification and prioritization of vulnerabilities are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. Separate Impact and Likelihood scores are assigned to the identified vulnerability. The combined scores result in an overall severity score for the vulnerability, indicating its prioritization for remediation.
Network Segmentation
Screendesk segments its network to prevent direct or unauthorized connections between an external network and its information systems – and in particular between an external network and Confidential data in cloud environments. Segmentation is established through the following means:
Demilitarized zones (DMZ) that logically separate Screendesk's systems and data from untrusted external networks
Security tools that isolate subnetworks and security groups (e.g., customer environments) and prohibit connection except through monitored interfaces
Vulnerability Scanning
Screendesk performs internal and/or external vulnerability scans to test in-scope systems at least quarterly. These reports are shared with the CTO.
Vulnerability Remediation Procedure
Once an employee has identified a critical or zero-day vulnerability, they report the vulnerability immediately to the CTO, who is responsible for carrying out this procedure for each identified vulnerability.
Develop a vulnerability analysis. Document the following details about the vulnerability:
Description/Nature of the vulnerability
System(s) impacted
Risk rating based on the potential impact, the likelihood of exploitation, and any existing controls that may reduce the risk
Any suggested controls that may be implemented to address the vulnerability
Determine the remediation timeline based on the risk rating:
Critical: Immediately to 7 days from identification
High: Within 14 days of identification
Medium and Low: Within 30 days of identification
Patch Management Policy
Effective patch management and system updates help ensure the confidentiality, integrity, and availability of systems from new exploits, vulnerabilities, and other security threats.
All necessary system patches and system updates to Screendesk's underlying infrastructure are obtained from the software vendor and/or other trusted third parties:
Vendor websites and email alerts
Vendor mailing lists, newsletters, and additional support channels for patches and security
Third-party websites and email alerts
Third-party mailing lists
Approved online forums and discussion panels
All necessary system patches and system updates to Screendesk's underlying infrastructure are obtained and deployed at least monthly. The specific timeline for applying patches depends on the severity level of the vulnerability for each system component. Screendesk uses the following timelines for patch management based on severity level:
Critical: Immediately to 7 days from identification
High: Within 14 days of identification
Medium and Low: Within 30 days of identification
Patches fixing highly critical or zero-day vulnerabilities are escalated and applied as soon as possible. The CTO considers the following factors to determine when to apply the patch:
The relative importance of the vulnerable systems
The relative severity of each vulnerability
The operational risks of patching without first testing
Whether there is a viable option to mitigate the vulnerability through an alternative method, at least until patches are fully deployed and operational
Antivirus Protection Policy
Screendesk has antivirus (AV) solutions to detect malicious code and malware. AV is deployed on all applicable system components in its underlying infrastructure.
The AV meets the following criteria:
The most current version available from the vendor
Enabled for automatic updates
Configured for conducting periodic scans at least monthly
Capable of removing all known types of malicious software
All AV solutions will generate logs for monitoring and alerting IT personnel about infected machines. Because strong and comprehensive malware measures are not just limited to the use of AV, additional tools are to be employed as necessary for eliminating all other associated threats.
Last updated