Vulnerability Management Policy
Vulnerability Management Policy
Version: 1
1
V1 – 17/04/2021
Vulnerability Management Policy
Document Control
Version History
Version No
1.0
Date
17/04/2021
Remarks
Created Document
Author
Sunder Singh (YouCloud)
Reviewer/s
Date
19/04/2021
27/02/2022
27/02/2023
Name
Paul Pease
Andrew Beitz
Paul Pease
Andrew Beitz
Paul Pease
Andrew Beitz
Position & Location
Head of Compliance & Licensing
CIO/CTO
Technology & Compliance
COO/CTO
Technology & Compliance
COO/CTO
Name
Stanley Hancock
Stanley Hancock
Stanley Hancock
Position & Location
CEO, Brisbane
CEO, Brisbane
CEO, Brisbane
Name
Position & Location
Approver/s
Date
19/04/2021
27/02/2022
27/02/2023
Distribution
Copy No
2
V1 – 17/04/2021
Vulnerability Management Policy
Table of Contents
Purpose.................................................................................................................................................... 4
Scope ....................................................................................................................................................... 4
Policy ...................................................................................................................................................... 4
Responsibilities ....................................................................................................................................... 5
Policy Control ......................................................................................................................................... 5
3
V1 – 17/04/2021
Vulnerability Management Policy
Purpose
This document is to provide a common set of requirements to protect the Touch2Pay IT Infrastructure
and other information assets from exploitation of security vulnerabilities.
Scope
This policy applies to all system component running various software and applications of Touch2Pay
Pty Ltd.
Policy
Touch2Pay will act to protect the integrity of its software applications and its other information assets
against the introduction of malicious code (malware).
Periodic Vulnerability assessment of its information assets, network equipment’s and applications
must be conducted and all issues found during the assessment will be resolved in the timeframe
defined for each items severity/risk rating.
On a quarterly basis Internal and External security testing of the devices in the cardholder
environment are conducted. Scans are repeated until acceptable results are obtained.
Vulnerability scans will be executed using services and/or tools listed on the PCI Approved Scanning
Vendors list.
Any major change in the IT environment must be followed by vulnerability assessment and
penetration testing to the setup. These penetration tests conducted on Annual basis:
•
•
Network Layer Penetration Tests
Application Layer Penetration Tests
The Penetration tests must be carried out either by Third party organization specialized in Security
Testing or by specialised internal resource.
If segmentation is used, penetration testing will be performed on segmentation controls at least every
6-months and after any changes to segmentation controls/methods.
Wireless Network scan are performed using on quarterly basis. The methods used to conduct the
wireless scans should be adequate and capable of at least identifying the following:
•
•
•
WLAN cards inserted into system components
Portable wireless devices connected to system components (for example, by USB, etc.)
Wireless devices attached to a network port or network device
System File Integrity Monitoring must be done on all critical servers in production environment and
servers storing Cardholder information.
The IT Team must visit popular website sources such as SANS.org, CERT.org and CISecurity.org to
identify any other patches or modifications to the systems in use to make them more reliable and
secure.
Identified vulnerabilities for Touch2Pay assets are to be prioritised on a risk basis, i.e. by Impact and
Probability.
Touch2Pay must establish the following timeline requirements for reacting to notifications of relevant
vulnerabilities:
4
V1 – 17/04/2021
Vulnerability Management Policy
Severity/Impact
Priority
Urgent
Critical
High
Medium
5
4
3
2
Response Timeframe
3-Days
1-Week
1-Week
1-Month
Note: Critical or Major risk systems are treated ahead of other systems.
All vulnerabilities that fall into the high impact category must be assessed for seriousness and
required controls (patching; turning off/removing services affected by the vulnerability; adapting or
adding access controls; increased monitoring; awareness raising).
If the vulnerabilities are high impact and high probability then the required controls must be
performed through the Change Management process or else through the Incident Response Plan.
Available patches must be risk assessed, taking into account the balance between risks in installing
and not installing, before the final decision as to necessary controls can be made.
Patches must be tested prior to implementation on the production environment.
Responsibilities
The Information Security team is responsible for monitoring vulnerabilities and vendor releases of
patches and fixes.
The IT infrastructure, network and application administrators are responsible for installing operational
software updates, patches and fixes on the operational systems.
The Application Owners are responsible for testing operational software updates and new
implementations.
The Information Security team will discuss with the IT teams any incidents that have been occurred,
including the vulnerabilities, information additional controls are in place, what outstanding issues
there are, and how the picture has changed since the previous scan.
Policy Control
The Information Security team is the owner of this document and is responsible for ensuring that this
policy document is reviewed at least annually, and any modifications are communicated to all relevant
stakeholders in a timely manner.
5
V1 – 17/04/2021