Doc owner: TBD
Vulnerability Management Policy
Seeded from legacy Allied Information Security Policy (supported software check, OS/firmware monitoring, patch communication). Content carried over for review. Vulnerability scanning, dependency monitoring, severity-based SLAs, and exception handling are not covered in the legacy doc and need drafting.
Purpose
To identify, assess, and remediate technical vulnerabilities in Allied systems before they can be exploited.
Scope
Applies to all Allied digital systems, services, and code.
Roles and responsibilities
| Role | Responsibility |
|---|---|
| Security Officer | Verifies that installed software packages used on Allied devices remain supported (review quarterly). Actively monitors OS/firmware updates for security alerts. Communicates details on required software updates and security patches via the #software-updates Slack channel. |
| System owners | Triage and remediate findings on their systems |
Supported software
All software must be supported by the supplier. Unsupported legacy software must be uninstalled. The security officer reviews installed software quarterly to confirm continued support.
Update monitoring and communication
- The security officer actively monitors OS/firmware updates for security alerts.
- Required software updates and security patches are communicated via the
#software-updatesSlack channel. - Users must monitor apps and services for security alerts where they are the business-lead and disseminate this information as soon as is reasonably practical and always within 14 days.
Update installation
- All operating systems, firmware and applications must be kept up to date. Automatic updating must be enabled wherever possible.
- Users must manually check software updates at least once a fortnight.
- Updates requiring user action must be installed within 14 calendar days of their release date (note: this may be less than 14 calendar days from user notification if a device has not been online for a few days).
Policy statements
TBD — gap analysis to add: vulnerability scanning of cloud and code, dependency monitoring (SCA), severity-based remediation SLAs (e.g. critical 7d / high 30d), penetration testing cadence, exception handling, reporting to leadership.
Related
- POL-DIG-009 Change Management Policy
- POL-DIG-013 System and Information Integrity Policy
- ISO 27001:2022 Annex A.8.8