Overview
Vulnerability incidents, reports, and gaps should be handled based on the risk rating. Prioritization of remediation or mitigation will be based on the rating and should be aligned with the prioritization table. Reported concerns should have a Jira ticket to track the actions performed to address the issue.
Prioritization Table
Severity | Risk Rating | CVSS Rating | Basis |
---|---|---|---|
P1 - Critical |
|
|
|
P2 - High |
|
|
|
P3 - Medium |
|
|
|
P4 - Minor |
|
|
|
Management
Each vulnerability should be addressed through Bug management procedures aligned with the development and testing. Jira filing should follow the standard Jira board for bugs.
Metrics
Each vulnerability should have an estimated time to remediate. This metric will be used to compute the mean time to mitigate (MTTM) or remediate (MTTR). These metrics will reflect the agility to respond to vulnerabilities found in the applications, hosts, or network. Baseline will be computed every year based on these metrics.
Mean time to Mitigate (MTTM) - average time to mitigate the vulnerability
MTTM = ( Sum of time to mitigate the vulnerability / total number of mitigated vulnerability )
e.g. MTTM = (2 hrs + 4 hrs + 10 hrs / 3 vulnerabilities ) = 5.333 hrs to mitigate a vulnerability.
Mean time to Remediate (MTTR) - average time to remediate the vulnerability
MTTR = ( Sum of time to remediate the vulnerability / total number of remediated vulnerability )
e.g. MTTR = (4.5 hrs + 7 hrs + 3 hrs / 3 vulnerabilities ) = 4.8333 hrs to remediate a vulnerability.