Vulnerability Management

Vulnerability Management Policy

Screendesk's vulnerability management program ensures the confidentiality, integrity, and availability (CIA) of the organization's information systems landscape, which includes all critical system resources.

The Screendesk vulnerability management program addresses vulnerabilities and threats through remediation and control implementation. These terms are defined as follows:

  • Vulnerabilities: Software flaws or misconfigurations that may weaken the security of an organization's system

  • Threats: Capabilities or methods of attack developed by malicious entities to exploit vulnerabilities and harm a computer system or network. Potential threats also include insider threats

  • Remediation: Means of addressing or resolving vulnerabilities and threats

  • Control implementation: The use of defined scanning and testing procedures to identify, communicate, and address vulnerabilities and threats

Chief components of the program include the following:

Configuration Standards

Screendesk establishes a secure information security baseline by provisioning, hardening, securing, and locking down all critical system resources through continuous monitoring and security patches.

Network Architecture

Screendesk develops secure network architecture and secure segmentation to prevent vulnerabilities.

Network Scanning and Monitoring

Screendesk follows internal and external vulnerability scanning procedures and conducts network layer and application layer penetration tests to manage vulnerabilities.

Vulnerabilities will be categorized by severity based on the following criteria:

  • Impact: The possible disruption to systems and business operations

  • Likelihood: The ease in which a vulnerability may be exploited

  • Compensating controls: The availability of network- or host-based methods of mitigation

The classification and prioritization of vulnerabilities are based on the Open Web Application Security Project (OWASP) Risk Rating Methodology. Separate Impact and Likelihood scores are assigned to the identified vulnerability. The combined scores result in an overall severity score for the vulnerability, indicating its prioritization for remediation.

Network Segmentation

Screendesk segments its network to prevent direct or unauthorized connections between an external network and its information systems – and in particular between an external network and Confidential data in cloud environments. Segmentation is established through the following means:

  • Demilitarized zones (DMZ) that logically separate Screendesk's systems and data from untrusted external networks

  • Security tools that isolate subnetworks and security groups (e.g., customer environments) and prohibit connection except through monitored interfaces

Vulnerability Scanning

Screendesk performs internal and/or external vulnerability scans to test in-scope systems at least quarterly. These reports are shared with the CTO.

Vulnerability Remediation Procedure

Once an employee has identified a critical or zero-day vulnerability, they report the vulnerability immediately to the CTO, who is responsible for carrying out this procedure for each identified vulnerability.

  1. Develop a vulnerability analysis. Document the following details about the vulnerability:

    • Description/Nature of the vulnerability

    • System(s) impacted

    • Risk rating based on the potential impact, the likelihood of exploitation, and any existing controls that may reduce the risk

    • Any suggested controls that may be implemented to address the vulnerability

  2. Determine the remediation timeline based on the risk rating:

    • Critical: Immediately to 7 days from identification

    • High: Within 14 days of identification

    • Medium and Low: Within 30 days of identification

Patch Management Policy

Effective patch management and system updates help ensure the confidentiality, integrity, and availability of systems from new exploits, vulnerabilities, and other security threats.

All necessary system patches and system updates to Screendesk's underlying infrastructure are obtained from the software vendor and/or other trusted third parties:

  • Vendor websites and email alerts

  • Vendor mailing lists, newsletters, and additional support channels for patches and security

  • Third-party websites and email alerts

  • Third-party mailing lists

  • Approved online forums and discussion panels

All necessary system patches and system updates to Screendesk's underlying infrastructure are obtained and deployed at least monthly. The specific timeline for applying patches depends on the severity level of the vulnerability for each system component. Screendesk uses the following timelines for patch management based on severity level:

  • Critical: Immediately to 7 days from identification

  • High: Within 14 days of identification

  • Medium and Low: Within 30 days of identification

Patches fixing highly critical or zero-day vulnerabilities are escalated and applied as soon as possible. The CTO considers the following factors to determine when to apply the patch:

  • The relative importance of the vulnerable systems

  • The relative severity of each vulnerability

  • The operational risks of patching without first testing

  • Whether there is a viable option to mitigate the vulnerability through an alternative method, at least until patches are fully deployed and operational

Antivirus Protection Policy

Screendesk has antivirus (AV) solutions to detect malicious code and malware. AV is deployed on all applicable system components in its underlying infrastructure.

The AV meets the following criteria:

  • The most current version available from the vendor

  • Enabled for automatic updates

  • Configured for conducting periodic scans at least monthly

  • Capable of removing all known types of malicious software

All AV solutions will generate logs for monitoring and alerting IT personnel about infected machines. Because strong and comprehensive malware measures are not just limited to the use of AV, additional tools are to be employed as necessary for eliminating all other associated threats.

Last updated