Skip to main content

ProcedureForVulnerabilityManagement

Procedure for Vulnerability Management
Last updated: January 20, 2023

Introduction

  • Zora Communication Disaster Recovery Policy outlines the guidelines, procedures and workarounds to follow in case of a disaster like failures of power supplies, telecommunications, social unrest, terrorist attacks, fire, or natural disasters.

Scope

  • Vulnerability Management is the recurring process of identifying, classifying, prioritizing, mitigating, and remediating security vulnerabilities. This policy focuses on software and system vulnerabilities and the operational vulnerability management process. The process is designed to promote healthy vulnerability/patch management practices and other preventative best-practices.
  • Zora Communications utilizes various vulnerability monitoring and scanning systems to help us discover new threats continuously. This policy outlines how we monitor for new vulnerabilities, and how such vulnerabilities are addressed.

Monitoring for Vulnerabilities

  • Zora Communications performs various internal vulnerability scans and package monitoring on a constant basis.
  • Zora Communications also performs external vulnerability-scans/penetration-tests periodically.

Reporting

  • The Information Security Officer is responsible for communicating detected vulnerabilities and package updates needed to the appropriate vulnerability management system where it can be tracked to resolution.

Remediating Vulnerabilities

  • Remediation is the part of the process in which a reported vulnerability is fixed. The engineering staff is responsible for remediating any reported vulnerabilities. The remediation process should be tracked in the vulnerability management system. SLAs are in place to help prioritize vulnerability based on severity.

Remediation SLAs

  • Vulnerabilities are mapped to a severity based on a multitude of factors, such as scope, impact, etc. This severity label is used to come up with remediation SLAs.

Remediation Outcomes

  • The engineering team addresses the reported vulnerabilities and tracks them to resolution. Resolution statuses can include (but are not limited to) the following:
  • Fixed: This means that the reported vulnerability has been fixed via a patch or system changes.
  • Inaccurate/Incorrect/False-positive: This means that the reported vulnerability has been thoroughly investigated, but found to be invalid.
  • Vulnerable-section-unused: This means that the reported vulnerability affects parts of the codebase/system that are not in use, and consequently the vulnerability is no longer a threat.
  • Acceptable risk: This means that the reported vulnerability has been analysed and deemed not to pose any debilitating risk to the system. This is a rare-case scenario and should only occur when there are extenuating circumstances or extremelyhigh-remediation-costs.

Non compliance

  • Zoracom staff who violate this policy may face repercussions in proportion to the impact of their violation. Zoracom management will determine how serious a staff member's offense is and decide the appropriate penalty. Penalties may include
    1. Reprimand
    2. Demotion
    3. Detraction of benefits for a definite or indefinite time
    4. Suspension or termination for more serious offenses