Vulnerability Management Policy - Korr

Purpose

This policy establishes requirements and guidelines for identifying, assessing, and remediating security vulnerabilities across Korr's AWS infrastructure. It aims to ensure timely remediation of vulnerabilities based on risk levels and maintain a strong security posture.

Scope

This policy applies to all AWS resources, including EC2 instances, containers, databases, and other cloud services used by Korr.

Policy Owner

The DevOps/Security team owns this policy and is responsible for its maintenance and enforcement.

Vulnerability Risk Levels and SLAs

Vulnerability Management Process

1. Detection

   • Regular automated scanning using AWS Inspector
   • Continuous monitoring via AWS GuardDuty
   • Review of AWS Security Hub findings
   • Monitoring of security advisories and CVE databases

2. Assessment

   • Evaluate vulnerability severity and potential impact
   • Determine risk level and corresponding SLA
   • Consider business impact and remediation complexity
   • Document findings and assigned risk levels

3. Remediation

   • Prioritize fixes based on risk level and SLA
   • Develop and test remediation plans
   • Implement security patches and updates
   • Validate fixes through follow-up scans

4. Reporting

   • Track remediation progress against SLAs
   • Document exceptions and compensating controls
   • Generate monthly vulnerability status reports
   • Review trends and recurring issues

Compliance Monitoring

• Regular audits of vulnerability management compliance
• Tracking of SLA adherence
• Documentation of exceptions and delays
• Monthly review of vulnerability metrics
• Quarterly assessment of policy effectiveness

This policy will be reviewed annually and updated as needed based on security requirements and industry best practices.