Skip to content

Commit

Permalink
Fix from Angela comments
Browse files Browse the repository at this point in the history
  • Loading branch information
@pritchyspritch
pritchyspritch committed Dec 19, 2024
1 parent 3115db5 commit 5aae05a
Showing 1 changed file with 16 additions and 12 deletions.
28 changes: 16 additions & 12 deletions docs/policies/vulnerability_management_policy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,14 +38,18 @@ The digital service teams and portfolios are responsible for ensuring they mitig

### Responsibile Accountable Consulted Informed (RACI) matrix

| Tasks | Developers/DevOps | Service Owners | Vulnerability Management team |
| ----------------------------------- | ----------------- | -------------- | ------- |
| Patching Azure servers | R | A | C |
| Patching software dependencies | R | A | C |
| Patching container images | R | A | C |
| Fixing SAST vulnerabilities | R | A | C |
| Fixing DAST vulnerabilities | R | A | C |
| Fixing VDP reported vulnerabilities | R | A | I |
| Tasks | CISO | SROs | Developers/DevOps | Vulnerability Management team |
| ----------------------------------- | ------| ----- | ----------------- | ----------------------------- |
| Patching Azure servers | A | A | R | C |
| Patching software dependencies | A | A | R | C |
| Patching container images | A | A | R | C |
| Fixing SAST vulnerabilities | A | A | R | C |
| Fixing DAST vulnerabilities | A | A | R | C |
| Fixing VDP reported vulnerabilities | A | A | R | I |
| Risk management and appetite | A | R | C | C |
| Prioritisation of remediation | A | R | C | C |
| Monitoring for vulnerabilities | A | A | R | R |
| Organisation penetration tests | A | R/A | C | I |

## Other responsible owners

Expand Down Expand Up @@ -235,9 +239,9 @@ The vulnerability management team:

### Revision table

| Date of change | Author | Review Date | Version |
| -------------- | ------------------ | -------------------- | ------- |
| YYYY-MM-DD | FULL_NAME | YYYY-MM-DD (+1 year) | v0.1 |
| Date of change | Author | Review Date | Version |
| -------------- | ----------------- | ----------- | ------- |
| 2024-12-19 | Samuel Pritchard | 2025-12-19 | v0.1 |


### Approved by
Expand All @@ -246,6 +250,7 @@ The vulnerability management team:
| --------------- | --------- | ---------- | ------- |
| FULL_NAME | TITLE | YYYY-MM-DD | v0.1 |


### Policy updates and decision record
| Decision | Reason for decision | Author (Job title) | Date |
| -------- | ------------------- | ------ | ---- |
Expand All @@ -259,7 +264,6 @@ The vulnerability management team:
| Mitigation | A fix that can be put in place (often quickly) to prevent a vulnerable component from being compromised. To make less severe and reduce the risk to DfE. |
| Remediation | The complete fix that will ensure an issue has been completely resolved. Provide a remedy for the vulnerability. |

# Appendix B: Centre for Internet Security (CIS) safeguards mapping



0 comments on commit 5aae05a

Please sign in to comment.