The following is a sample vulnerability assessment policy template that outlines various aspects of vulnerability assessment at a policy level:
<Company Name>
Vulnerability Assessment Policy
|
|
Name
|
Title
|
|
Created By
|
|
|
|
Reviewed By
|
|
|
|
Approved By
|
|
|
Overview
This section is a high-level overview of what vulnerability management is all about.
A vulnerability assessment is a process of identifying and quantifying security vulnerabilities within a given environment. It is an assessment of information security posture, indicating potential weaknesses as well as providing the appropriate mitigation procedures wherever required to either eliminate those weaknesses or reduce them to an acceptable level of risk.
Generally vulnerability assessment follows these steps:
- Create an inventory of assets and resources in a system
- Assign quantifiable value and importance to the resources
- Identify the security vulnerabilities or potential threats to each of the identified resource
- Prioritize and then mitigate or eliminate the most serious vulnerabilities for the most valuable resources
Purpose
This section is to state the purpose and intent of writing the policy.
The purpose of this policy is to provide a standardized approach towards conducting security reviews. The policy also identifies roles and responsibilities during the course of the exercise until the closure of identified vulnerabilities.
Scope
This section defines the scope for which the policy would be applicable; it could include an intranet, extranet, or only a part of an organization's infrastructure.
Vulnerability assessments can be conducted on any asset, product, or service within <Company Name>.
Policy
The team under the authority of the designation would be accountable for the development, implementation, and execution of the vulnerability assessment process.
All the network assets within the company name's network would comprehensively undergo regular or continuous vulnerability assessment scans.
A centralized vulnerability assessment system will be engaged. Usage of any other tools to scan or verify vulnerabilities must be approved, in writing, by the designation.
All the personnel and business units within the company name are expected to cooperate with any vulnerability assessment being performed on systems under their ownership.
All the personnel and business units within the company name are also expected to cooperate with the team in the development and implementation of a remediation plan.
The designation may instruct to engage third-party security companies to perform the vulnerability assessment on critical assets of the company.
Vulnerability assessment process
This section provides a pointer to an external procedure document that details the vulnerability assessment process.
For additional information, go to the vulnerability assessment process.
Exceptions
It’s quite possible that, for some valid justifiable reason, some systems would need to be kept out of the scope of this policy. This section instructs on the process to be followed for getting exceptions from this policy.
Any exceptions to this policy, such as exemption from the vulnerability assessment process, must be approved via the security exception process. Refer to the security exception policy for more details.
Enforcement
This section is to highlight the impact if this policy is violated.
Any company name personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment and potential legal action.
Related documents
This section is for providing references to any other related policies, procedures, or guidelines within the organization.
The following documents are referenced by this policy:
- Vulnerability assessment procedure
- Security exception policy
Revision history
| Date |
Revision number |
Revision details |
Revised by |
| MM/DD/YYYY |
Rev #1 |
Description of change |
<Name/Title> |
| MM/DD/YYYY |
Rev #2 |
Description of change |
<Name/Title> |
This section contains details about who created the policy, timestamps, and the revisions.
Glossary
This section contains definitions of all key terms used throughout the policy.
