Skip to main content
DraftIndicative placeholder for the section owner — amend, replace, or confirm as the first definitive version.

Doc owner: TBD

Vulnerability Management Policy

Seeded from legacy Allied Information Security Policy (supported software check, OS/firmware monitoring, patch communication). Content carried over for review. Vulnerability scanning, dependency monitoring, severity-based SLAs, and exception handling are not covered in the legacy doc and need drafting.

Purpose

To identify, assess, and remediate technical vulnerabilities in Allied systems before they can be exploited.

Scope

Applies to all Allied digital systems, services, and code.

Roles and responsibilities

RoleResponsibility
Security OfficerVerifies that installed software packages used on Allied devices remain supported (review quarterly). Actively monitors OS/firmware updates for security alerts. Communicates details on required software updates and security patches via the #software-updates Slack channel.
System ownersTriage and remediate findings on their systems

Supported software

All software must be supported by the supplier. Unsupported legacy software must be uninstalled. The security officer reviews installed software quarterly to confirm continued support.

Update monitoring and communication

  • The security officer actively monitors OS/firmware updates for security alerts.
  • Required software updates and security patches are communicated via the #software-updates Slack channel.
  • Users must monitor apps and services for security alerts where they are the business-lead and disseminate this information as soon as is reasonably practical and always within 14 days.

Update installation

  • All operating systems, firmware and applications must be kept up to date. Automatic updating must be enabled wherever possible.
  • Users must manually check software updates at least once a fortnight.
  • Updates requiring user action must be installed within 14 calendar days of their release date (note: this may be less than 14 calendar days from user notification if a device has not been online for a few days).

Policy statements

TBD — gap analysis to add: vulnerability scanning of cloud and code, dependency monitoring (SCA), severity-based remediation SLAs (e.g. critical 7d / high 30d), penetration testing cadence, exception handling, reporting to leadership.