Answer yes if you have processes in place which facilitate effective triage of vulnerabilities and input necessary remediations into the appropriate workflows, for example, development, IT change management or ad-hoc improvement programmes. This should cover all vulnerabilities identified through scanning, penetration tests, or other inputs such as external alert feeds or internal employee reporting. It should also include communication of vulnerabilities to key stakeholders (including relevant clients) where temporary compensating controls may be required. Please give details of your process(es) in the notes section.
All organisations will need to address vulnerabilities from time to time. In larger organisations, managing vulnerabilities will be a continual process.
Vulnerabilities can be identified through scanning, penetration testing, vulnerability alert services or many other methods. When a vulnerability is identified, it is important that the risk it poses to your organisation is properly assessed so that any remediation or mitigation activity can be prioritised accordingly.
It is important that any remediation activities are prioritised in the context of your organisation, your risk appetite and other activities taking place. When, how and if you decide to remediate a vulnerability will depend on:
For example, if a vulnerability is identified in a system for which a new release is scheduled soon, you may wish to include the remediation as part of the scheduled release instead of pushing through unplanned changes. When and how to deploy fixes for vulnerabilities should be carefully considered depending on the severity of the vulnerability, the risk it poses to your organisation and whether there are compensatory controls you can put in place to mitigate the risk in the interim. For some vulnerabilities, it will be important to remediate as soon as possible through emergency change processes.
As much as possible, fixes for security vulnerabilities should be input into IT or development workflows rather than being addressed as stand alone changes.
If you are a very small organisation, vulnerabilities can be addressed as and when they are identified. If you are a large organisation with a complex IT estate, you may choose to implement a central vulnerability management system with associated processes. It is very important that any security vulnerability management processes are embedded within operational IT or development teams, and are not stand alone.
The NCSC have written a detailed guide on what to consider when assessing and prioritising vulnerabilities, which can be found here.
Please do not submit your answer on the knowledge base.