| Reference: 01.21-32.49 | Version: 1.0 | Effective Date: Dec 20, 20189 | Revision Date: Jan 23, 2019 |
| Title: Mortgage Planners – Vulnerability Management Policy |
| DOMAIN: VULNERABILITY MANAGEMENT | DOCUMENT TYPE: SECURITY POLICY |
| SECTION: SECURITY & COMPLIANCE |
Mortgage Planners
1 INTRODUCTION
This document was developed by TCPCOM and defines the requirements of the “Managing vulnerability” applicable to Mortgage Planners.
2 GENERAL INFORMATION
2.1 Revision History
| Version | Date | Summary | Prepared by | Reviewed by | Approved by | Approval Date |
| 1.0 | 2018-12-03 | Initial version | Marc-andre Heroux | NA | NA | NA |
2.2 Related Documents
| Type | Security Requirements |
| Title | Mortgage Planners – Registry of Security Controls |
2.3 Information Security Responsibility
The senior management is responsible of the enforcement of the security policy. The security officer is responsible for ensuring the proper definition and implementation of the security policy.
3 SECURITY POLICY OBJECTIVE
3.1 Purpose of the security policy
Identify and fix vulnerabilities in the system to maintain the organization’s security posture at an appropriate level. Manage justification and adopt compensatory measures for unpatched vulnerabilities. Plan the discussion of vulnerability for correcting features.
Curing is also covered by this policy, because we believe that the cure is opening a reduction action of a system by reducing vulnerabilities and increasing the deception of an attacker.
3.2 Scope of Security Policy
This policy applies to all employees of Mortgage Planners and employees of third parties performing work related to information resources Mortgage Planners.
This policy applies to all employees of Mortgage Planners, services providers and employees of third parties performing work related to information resources Mortgage Planners.
3.3 Managing security information
The head of the security implementation must ensure that Mortgage Planners define and implement effective controls to limit access to information based on the processes, mechanisms and solutions to prevent information disclosure and to maintain the integrity and availability of information resources.
3.4 Breach of Security Policy
An intentional or unintentional violation of policies, procedures or standards or security requirements of Mortgage Planners may be subject to disciplinary action and may result in termination of employment or contract and possibly civil/criminal justice prosecution.
Anyone suspected of a security breach or deviation will be treated fairly and a full investigation will be conducted to protect its legal rights.
3.5 Exceptions to the policy
Any exceptions related to this security policy must be approved by the senior management.
4 VULNERABILITY MANAGEMENT
4.1 Policy Statement
A process and documents, activities and support solutions must exist and be applied to manage the system vulnerabilities.
Additional scans must be performed if a vulnerability is discovered until the vulnerability no longer appear in a scan (after a correction successfully).
Policy specification about vulnerability scan:
- internal vulnerability scans are performed every six months and following significant changes.
- External vulnerability scans are performed quarterly and after any significant change to the service infrastructure.
4.2 Security Risks
Do not fix a vulnerability system / solution or delays in the correction of a vulnerability could have a negative impact on the organization and its activities, operations, sales, image and even lead to legal liability.
5 SYSTEM HARDENING
5.1 Policy Statement
A system building process and related activities and documentation must be in place to configure securely the core operating system to ensure the confidentiality, integrity and availability of the system, its information and services it offers.
The process must cover the required applications and system functions/services to disable/remove those considered weak and the implementation of security controls limit the system to only functions required.
The building must also include all the steps needed to strengthen or improve the security of a cyber assets, such as the implementation of access controls and strict communications.
The strengthening of the operating systems is a basic requirement, because most operating systems, services and applications “ready to use” tend to deal more functionality than security.
Clear requirements must be defined and applied for hardening.
5.2 Security Risks
Without a building process and the associated activities and documents, such as the strengthening of guide, a cyber assets could remain exposed to risks for an extended period. It could possibly be exploited by a threat and have a negative impact on the organization and its activities, its activities, revenues, image and even lead to legal liability.
6 MANAGEMENT PATCH (PATCH)
6.1 Policy Statement
Patch management is an important aspect of the standard security. Cyber assets must be managed according to the risk and impact. In some cases, when a cyber asset is isolated and that risk is tolerable, it is sometimes appropriate to maintain it unchanged, but it must be clearly defined, analyzed and documented. The general rule to follow is keep system up-to-date with latest patch and security corrections, especially for public facing system.
For the majority of cyber assets, their update is simply obligatory.
Clear requirements patch management of cyber assets must be defined and applied to reduce the vector/attack surface and increase the deception of the threat.
6.2 Security Risks
Without proper patch management requirements defined and applied, a cyber asset could remain vulnerable for a long time and a threat could exploit it.
In case of failure in updating cyber assets, a threat could exploit a weakness and affect the operation, activity and even lead to a legal issues.
7 JUSTIFICATION
7.1 Policy Statement
Any decision of not to fix a vulnerability must be justified and approved by the senior management, authorized for a specified period and examined before the end of the justification period.
7.2 Security Risks
If there is no formal procedure to justify the need to accept a vulnerability for specific duration, a system could remain vulnerable for an extended period without without adequate compensatory measures and a correction vulnerability plan.
8 REPORTING WEAKNESSES OF SECURITY
8.1 Policy Statement
All employees, contractors and third Mortgage Planners are required to immediately report any potential flaw safety or security person in charge of IT security of Mortgage Planners. A procedure must be established and communicated to signal quickly and appropriately a security breach.
8.2 Security Risks
Security holes may expose the facilities, infrastructure, information systems and confidential information of Mortgage Planners and increase the the risk of unauthorized access or malicious actions from internal and external threats. This could have negative consequences on the information resources, operations, business and result in legal obligations and financial losses.
9 COMPENSATION MEASURE
9.1 Policy Statement
Each justification, a compensatory measure must be defined and applied. There may be different types of controls (e.g. procedure, technical control, operational control, physical control). A review date should be set to assess the feasibility of vulnerability.
9.2 Security Risks
Although vulnerability can be justified as compensating controls in place, it is unacceptable to have no assets or computer corrected without compensation measures solution and no revised plan of restoration and its feasibility.
If a known vulnerability exists and that there are no adequate compensating controls in place, the likelihood of this vulnerability to be exploited, causing a negative impact increases significantly.
10 STEERING COMMITTEES AND TEAMS
10.1 Policy Statement
A steering committee for vulnerability management must exist and vulnerability must be managed. A committee should be composed of people with an adequate role in assessing vulnerability, risk / potential impact, take a position and provide guidance (IT architect, management consultant of security and risk analyst in information security, system administrator, etc.).
When correcting a significant vulnerability, the following role must be involved: change management, owner of the business unit and risk and compliance governance.
10.2 Security Risks
Without a committee made up of different people with different skills and appropriate roles, it is very difficult to ensure that the right decisions are taken on vulnerability management and security maintenance in proper condition.