ImgBot Vulnerability Management Policy

This policy is based on the sample policy created by Tech Republic.

Goal

It is ImgBot's responsibility to provide a secure environment for ImgBot's automated applications, staff, business partners, and contractors. As part of this goal, it is ImgBot's policy to ensure all computer devices (including servers, desktops, printers, etc.) connected to ImgBot's network have proper virus protection software, current virus definition libraries, and the most recent operating system and security patches installed.

Monitoring

ImgBot staff will monitor security mailing lists, review vendor notifications and Web sites, and research specific public Web sites for the release of new patches. Monitoring will include, but not be limited to, the following:

• Operating system notifications for all aspects of ImgBot development and operations.
• GitHub security alert digests for all ImgBot related code
• Monitoring repositories and Web sites of all partners and vendors

Review and evaluation

ImgBot staff will review any new patch within 24 hours of receiving the notification. ImgBot staff will categorize the criticality of the patch according to the following:

• Emergency — an imminent threat to ImgBot users
• Critical — targets a security vulnerability
• Not Critical — a standard patch release update
• Not Applicable - not applicable to ImgBot's environment

Regardless of platform or criticality, all patch releases will follow a defined process for patch deployment that includes assessing the risk, testing, scheduling, installing, and verifying.

Risk assessment and testing

ImgBot staff will assess the effect of a patch prior to its deployment and assess the affected patch for criticality relevant to each platform.

If ImgBot staff categorize a patch as an Emergency, it is considered an imminent threat to ImgBot users. Therefore, ImgBot assumes greater risk by not implementing the patch than waiting to test it before implementing. In this case, the ImgBot service will be shutdown to perform the testing and the service resumed once the patch is integrated.

Patches deemed Critical or Not Critical will undergo testing for each affected platform before release for implementation. ImgBot staff will expedite testing for critical patches.

Implementation

ImgBot staff will shut down the service within four hours of categorizing a new patch as an Emergency Patch. During this time, the ImgBot staff will work on the integration offline. In all instances, ImgBot staff will perform testing and document it for auditing and tracking purposes.

Critical patches and non-critical patches will be released as they are integrated. The ImgBot service will remain running during the integration, testing, and verifying phases of these patches.

Any net-new updates to ImgBot will follow procedures to ensure the installation of the most recent patches at the time of release.

Auditing, assessment, and verification

Following the release of all patches, ImgBot staff will verify the successful installation of the patch and that there have been no adverse effects.

User responsibilities and practices

It is the responsibility of each user — both individually and within the organization — to ensure prudent and responsible use of computing resources.