From 5aae05af410249ab7aba212086641682bca86349 Mon Sep 17 00:00:00 2001
From: pritchyspritch <47423802+pritchyspritch@users.noreply.github.com>
Date: Thu, 19 Dec 2024 16:34:33 +0000
Subject: [PATCH 1/4] Fix from Angela comments
---
.../vulnerability_management_policy.md | 28 +++++++++++--------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/docs/policies/vulnerability_management_policy.md b/docs/policies/vulnerability_management_policy.md
index 88a857b..df82ff3 100644
--- a/docs/policies/vulnerability_management_policy.md
+++ b/docs/policies/vulnerability_management_policy.md
@@ -38,14 +38,18 @@ The digital service teams and portfolios are responsible for ensuring they mitig
### Responsibile Accountable Consulted Informed (RACI) matrix
-| Tasks | Developers/DevOps | Service Owners | Vulnerability Management team |
-| ----------------------------------- | ----------------- | -------------- | ------- |
-| Patching Azure servers | R | A | C |
-| Patching software dependencies | R | A | C |
-| Patching container images | R | A | C |
-| Fixing SAST vulnerabilities | R | A | C |
-| Fixing DAST vulnerabilities | R | A | C |
-| Fixing VDP reported vulnerabilities | R | A | I |
+| Tasks | CISO | SROs | Developers/DevOps | Vulnerability Management team |
+| ----------------------------------- | ------| ----- | ----------------- | ----------------------------- |
+| Patching Azure servers | A | A | R | C |
+| Patching software dependencies | A | A | R | C |
+| Patching container images | A | A | R | C |
+| Fixing SAST vulnerabilities | A | A | R | C |
+| Fixing DAST vulnerabilities | A | A | R | C |
+| Fixing VDP reported vulnerabilities | A | A | R | I |
+| Risk management and appetite | A | R | C | C |
+| Prioritisation of remediation | A | R | C | C |
+| Monitoring for vulnerabilities | A | A | R | R |
+| Organisation penetration tests | A | R/A | C | I |
## Other responsible owners
@@ -235,9 +239,9 @@ The vulnerability management team:
### Revision table
-| Date of change | Author | Review Date | Version |
-| -------------- | ------------------ | -------------------- | ------- |
-| YYYY-MM-DD | FULL_NAME | YYYY-MM-DD (+1 year) | v0.1 |
+| Date of change | Author | Review Date | Version |
+| -------------- | ----------------- | ----------- | ------- |
+| 2024-12-19 | Samuel Pritchard | 2025-12-19 | v0.1 |
### Approved by
@@ -246,6 +250,7 @@ The vulnerability management team:
| --------------- | --------- | ---------- | ------- |
| FULL_NAME | TITLE | YYYY-MM-DD | v0.1 |
+
### Policy updates and decision record
| Decision | Reason for decision | Author (Job title) | Date |
| -------- | ------------------- | ------ | ---- |
@@ -259,7 +264,6 @@ The vulnerability management team:
| Mitigation | A fix that can be put in place (often quickly) to prevent a vulnerable component from being compromised. To make less severe and reduce the risk to DfE. |
| Remediation | The complete fix that will ensure an issue has been completely resolved. Provide a remedy for the vulnerability. |
-# Appendix B: Centre for Internet Security (CIS) safeguards mapping
From d11589595e967fd3e40466388357404412006b4b Mon Sep 17 00:00:00 2001
From: pritchyspritch <47423802+pritchyspritch@users.noreply.github.com>
Date: Fri, 20 Dec 2024 11:38:07 +0000
Subject: [PATCH 2/4] Adjust RACI
---
.../vulnerability_management_policy.md | 24 +++++++++----------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/docs/policies/vulnerability_management_policy.md b/docs/policies/vulnerability_management_policy.md
index df82ff3..f424036 100644
--- a/docs/policies/vulnerability_management_policy.md
+++ b/docs/policies/vulnerability_management_policy.md
@@ -38,18 +38,18 @@ The digital service teams and portfolios are responsible for ensuring they mitig
### Responsibile Accountable Consulted Informed (RACI) matrix
-| Tasks | CISO | SROs | Developers/DevOps | Vulnerability Management team |
-| ----------------------------------- | ------| ----- | ----------------- | ----------------------------- |
-| Patching Azure servers | A | A | R | C |
-| Patching software dependencies | A | A | R | C |
-| Patching container images | A | A | R | C |
-| Fixing SAST vulnerabilities | A | A | R | C |
-| Fixing DAST vulnerabilities | A | A | R | C |
-| Fixing VDP reported vulnerabilities | A | A | R | I |
-| Risk management and appetite | A | R | C | C |
-| Prioritisation of remediation | A | R | C | C |
-| Monitoring for vulnerabilities | A | A | R | R |
-| Organisation penetration tests | A | R/A | C | I |
+| Tasks | CISO | SROs | Developers/DevOps | Vulnerability management team | Delivery managers (portfolio) | Architects |
+| ----------------------------------- | ----- | ----- | ----------------- | ----------------------------- | ----------------------------- | ---------- |
+| Patching Azure servers | A | A | R | C | I | C |
+| Patching software dependencies | A | A | R | C | I | C |
+| Patching container images | A | A | R | C | I | C |
+| Fixing SAST vulnerabilities | A | A | R | C | I | C |
+| Fixing DAST vulnerabilities | A | A | R | C | I | C |
+| Fixing VDP reported vulnerabilities | A | A | R | I | I | C |
+| Risk management and appetite | A | R | C | C | I | C |
+| Prioritisation of remediation | A | R | C | C | I | C |
+| Monitoring for vulnerabilities | A | A | R | R | I | C |
+| Organisation penetration tests | A | A | C | I | I | C |
## Other responsible owners
From 0dff9303b217378bf13e7c0cf000c90e5267393d Mon Sep 17 00:00:00 2001
From: pritchyspritch <47423802+pritchyspritch@users.noreply.github.com>
Date: Fri, 20 Dec 2024 12:16:30 +0000
Subject: [PATCH 3/4] Adjust TI table
---
docs/policies/threat_modelling_policy.md | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/docs/policies/threat_modelling_policy.md b/docs/policies/threat_modelling_policy.md
index fead1f0..4b066e8 100644
--- a/docs/policies/threat_modelling_policy.md
+++ b/docs/policies/threat_modelling_policy.md
@@ -111,20 +111,21 @@ The following must be considered when using collecting, analysing and sharing th
## Related policies
The following polices are associated with this policy and should also be read as they directly interact or support the policy:
-- [Vulnerability Management Policy](vulnerability_management_policy.md)
-- Incident Management Policy
-- Security Monitoring Policy
-- Asset Management Policy (TBC)
-- Risk Management Policy (TBC)
-- Supplier Management Policy (TBC)
+- [Vulnerability management policy](vulnerability_management_policy.md)
+- [Threat intelligence policy](threat_intelligence_policy.md)
+- Incident management policy
+- Security monitoring policy
+- Asset management policy (TBC)
+- Risk management policy (TBC)
+- Supplier management policy (TBC)
## Revision history
### Revision table
-| Date of change | Author | Review Date | Version |
-| -------------- | ------------------ | -------------------- | ------- |
-| YYYY-MM-DD | FULL_NAME | YYYY-MM-DD (+1 year) | v0.1 |
+| Date of change | Author | Review Date | Version |
+| -------------- | ------------------ | ----------- | ------- |
+| 2024-12-20 | Simon Bishop | 2025-12-20 | v0.1 |
### Approved by
From 0e5424e7bc9b7cb77f9040b46913ea29494bcfa8 Mon Sep 17 00:00:00 2001
From: pritchyspritch <47423802+pritchyspritch@users.noreply.github.com>
Date: Mon, 23 Dec 2024 10:20:47 +0000
Subject: [PATCH 4/4] Fix table naming, typo and title
---
docs/policies/vulnerability_management_policy.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/docs/policies/vulnerability_management_policy.md b/docs/policies/vulnerability_management_policy.md
index f424036..2f58856 100644
--- a/docs/policies/vulnerability_management_policy.md
+++ b/docs/policies/vulnerability_management_policy.md
@@ -36,9 +36,9 @@ This policy is applicable to all DfE employees that produce, maintain or are res
## Responsibility
The digital service teams and portfolios are responsible for ensuring they mitigate vulnerabilities within their software and infrastructure.
-### Responsibile Accountable Consulted Informed (RACI) matrix
+### Responsible Accountable Consulted Informed (RACI) matrix
-| Tasks | CISO | SROs | Developers/DevOps | Vulnerability management team | Delivery managers (portfolio) | Architects |
+| Role
Activity | CISO | SROs | Developers/DevOps | Vulnerability management team | Delivery managers (portfolio) | Architects |
| ----------------------------------- | ----- | ----- | ----------------- | ----------------------------- | ----------------------------- | ---------- |
| Patching Azure servers | A | A | R | C | I | C |
| Patching software dependencies | A | A | R | C | I | C |
@@ -235,7 +235,7 @@ The vulnerability management team:
* must triage vulnerabilities from the vulnerability disclosure programme to development teams that ensures the teams can fix vulnerabilities within SLAs
-## Revision history
+## Revision history and decision records
### Revision table