SaFi Bank Space : Vulnerability Management

Created by User b6b4a, last modified on Sep 19, 2022

(blue star) Overview

Vulnerability incidents, reports, and gaps should be handled based on the risk rating. Prioritization of remediation or mitigation will be based on the rating and should be aligned with the prioritization table. Reported concerns should have a Jira ticket to track the actions performed to address the issue.

(blue star) Prioritization Table

Severity

Risk Rating

CVSS Rating

Basis

P1 - Critical

  • High

  • Critical (9.0-10.0)

  • Highly exploitable

  • Remotely executed

P2 - High

  • High

  • Medium

  • High (7.0-8.9)

  • Highly exploitable

  • Adjacently executed

P3 - Medium

  • Medium

  • Low

  • Medium (4.0-6.9)

  • Exploitable

  • Locally executed

P4 - Minor

  • Medium

  • Low

  • Low (0.1-3.9)

  • Informational (0.0)

  • Not exploitable

(blue star) Management

Each vulnerability should be addressed through Bug management procedures aligned with the development and testing. Jira filing should follow the standard Jira board for bugs.

(blue star) Metrics

Each vulnerability should have an estimated time to remediate. This metric will be used to compute the mean time to mitigate (MTTM) or remediate (MTTR). These metrics will reflect the agility to respond to vulnerabilities found in the applications, hosts, or network. Baseline will be computed every year based on these metrics.

Mean time to Mitigate (MTTM) - average time to mitigate the vulnerability

MTTM = ( Sum of time to mitigate the vulnerability / total number of mitigated vulnerability )

e.g. MTTM = (2 hrs + 4 hrs + 10 hrs / 3 vulnerabilities ) = 5.333 hrs to mitigate a vulnerability.

Mean time to Remediate (MTTR) - average time to remediate the vulnerability

MTTR = ( Sum of time to remediate the vulnerability / total number of remediated vulnerability )

e.g. MTTR = (4.5 hrs + 7 hrs + 3 hrs / 3 vulnerabilities ) = 4.8333 hrs to remediate a vulnerability.