Merge pull request #26 from DFE-Digital/193883-vm-policy-changes

Fix from Angela comments

docs/policies/threat_modelling_policy.md

@@ -111,20 +111,21 @@ The following must be considered when using collecting, analysing and sharing th
 ## Related policies
 The following polices are associated with this policy and should also be read as they directly interact or support the policy:
 
-- [Vulnerability Management Policy](vulnerability_management_policy.md)
-- Incident Management Policy
-- Security Monitoring Policy
-- Asset Management Policy (TBC)
-- Risk Management Policy (TBC)
-- Supplier Management Policy (TBC)
+- [Vulnerability management policy](vulnerability_management_policy.md)
+- [Threat intelligence policy](threat_intelligence_policy.md)
+- Incident management policy
+- Security monitoring policy
+- Asset management policy (TBC)
+- Risk management policy (TBC)
+- Supplier management policy (TBC)
 
 ## Revision history
 
 ### Revision table
 
-| Date of change | Author             | Review Date          | Version |
-| -------------- | ------------------ | -------------------- | ------- |
-| YYYY-MM-DD     | FULL_NAME          | YYYY-MM-DD (+1 year) | v0.1    |
+| Date of change | Author             | Review Date | Version |
+| -------------- | ------------------ | ----------- | ------- |
+| 2024-12-20     | Simon Bishop       | 2025-12-20  | v0.1    |
 
 
 ### Approved by

docs/policies/vulnerability_management_policy.md

@@ -36,16 +36,20 @@ This policy is applicable to all DfE employees that produce, maintain or are res
 ## Responsibility
 The digital service teams and portfolios are responsible for ensuring they mitigate vulnerabilities within their software and infrastructure.
 
-### Responsibile Accountable Consulted Informed (RACI) matrix
-
-| Tasks                               | Developers/DevOps | Service Owners | Vulnerability Management team |
-| ----------------------------------- | ----------------- | -------------- | ------- |
-| Patching Azure servers              | R                 | A              | C       |
-| Patching software dependencies      | R                 | A              | C       |
-| Patching container images           | R                 | A              | C       |
-| Fixing SAST vulnerabilities         | R                 | A              | C       |
-| Fixing DAST vulnerabilities         | R                 | A              | C       |
-| Fixing VDP reported vulnerabilities | R                 | A              | I       |
+### Responsible Accountable Consulted Informed (RACI) matrix
+
+| Role<br><br>Activity                | CISO  | SROs  | Developers/DevOps | Vulnerability management team | Delivery managers (portfolio) | Architects |
+| ----------------------------------- | ----- | ----- | ----------------- | ----------------------------- | ----------------------------- | ---------- |
+| Patching Azure servers              | A     | A     | R                 | C                             | I                             | C          |
+| Patching software dependencies      | A     | A     | R                 | C                             | I                             | C          |
+| Patching container images           | A     | A     | R                 | C                             | I                             | C          |
+| Fixing SAST vulnerabilities         | A     | A     | R                 | C                             | I                             | C          |
+| Fixing DAST vulnerabilities         | A     | A     | R                 | C                             | I                             | C          |
+| Fixing VDP reported vulnerabilities | A     | A     | R                 | I                             | I                             | C          |
+| Risk management and appetite        | A     | R     | C                 | C                             | I                             | C          |
+| Prioritisation of remediation       | A     | R     | C                 | C                             | I                             | C          |
+| Monitoring for vulnerabilities      | A     | A     | R                 | R                             | I                             | C          |
+| Organisation penetration tests      | A     | A     | C                 | I                             | I                             | C          |
 
 ## Other responsible owners
 
@@ -231,13 +235,13 @@ The vulnerability management team:
 * must triage vulnerabilities from the vulnerability disclosure programme to development teams that ensures the teams can fix vulnerabilities within SLAs
 
 
-## Revision history
+## Revision history and decision records
 
 ### Revision table
 
-| Date of change | Author             | Review Date          | Version |
-| -------------- | ------------------ | -------------------- | ------- |
-| YYYY-MM-DD     | FULL_NAME          | YYYY-MM-DD (+1 year) | v0.1    |
+| Date of change | Author            | Review Date | Version |
+| -------------- | ----------------- | ----------- | ------- |
+| 2024-12-19     | Samuel Pritchard  | 2025-12-19  | v0.1    |
 
 
 ### Approved by
@@ -246,6 +250,7 @@ The vulnerability management team:
 | --------------- | --------- | ---------- | ------- |
 | FULL_NAME       | TITLE     | YYYY-MM-DD | v0.1    |        
 
+
 ### Policy updates and decision record
 | Decision | Reason for decision | Author (Job title) | Date |
 | -------- | ------------------- | ------ | ---- |
@@ -259,7 +264,6 @@ The vulnerability management team:
 | Mitigation              | A fix that can be put in place (often quickly) to prevent a vulnerable component from being compromised. To make less severe and reduce the risk to DfE. |
 | Remediation             | The complete fix that will ensure an issue has been completely resolved. Provide a remedy for the vulnerability. |
 
-# Appendix B: Centre for Internet Security (CIS) safeguards mapping