POLÍTICA DE GESTIÓN DE AMENAZAS Y VULNERABILIDADES

 

IT-DOC-13

Versión: 1

Fecha de creación: 15/03/2021

Fecha de actualización: 11/05/2026

 

 

 

Table of Contents

1.  Scope 

2.  Definitions 

3.  Threat & Vulnerability Policy 

4.  External Penetration testing 

5.  Threat Detection 

5.1 Threat Monitoring 

5.2 Scanning Tool management 

6. Vulnerability Reporting 

6.1 Remediation  

6.2 Exceptions 

7. Roles & Responsibilities 

8. Non-Compliance 

 

 

 

1. Scope

Security will select and prioritize the system/application, based on their criticality. Production servers, databases, and applications on internally facing systems are in scope for monthly vulnerability assessments.    

 

2. Definitions

Vulnerability - In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions.

 

3. Threat & Vulnerability Policy

MSC IT Security monitor various threat sources and risks to MSC Technology.  The Security Team identifies threats and communicates the vulnerabilities to the IT Operations Team. 

The assessment may be carried out in-house, by an external company or a combination of both and cover the following:

  • Assessment of the security of all routes into the organization’s internal network from the Internet
  • Externally facing web servers
  • Business critical servers on the internal network
  • A selection of typical user computers

 

4. External Penetration testing

MSC IT Leadership Committee will schedule external scans of network perimeter on an annual basis.  These scans will be conducted by a third party, authorized by management.  The results will be presented to the CSO and IT Management to evaluate and ensure risks are remediated.

 

5. Threat Detection

5.1. Threat Monitoring

IT Security Team will proactively research emerging threats and potential attacks to ensure that MSC Technology infrastructure, servers and application are protected with secure configuration and latest patching.

5.2.  Scanning Tool Management

The Security Team ensures that vendor scanning tools are configured with most recent threat intelligence information.   Customized configurations will minimize false positives when actively probing system and applications.

Rescans can be requested when major changes occur to software or new devices need security configurations validated.

 

6. Vulnerability Reporting

Vulnerability reports are reviewed on the IT Department in a daily basis in look of any suspicious event.   threat & vulnerability Remediation

6.1. Remediation

Server or Application Administrators shall perform corrective action within these timelines.  IT Leadership will be sent reports that summarizes the status and progress of remediation efforts.

 Criticality Rating

Evaluate

Remediate

Request Exception

High

Within 5 days

Within 30 days

Within 30 days

Medium

Within 10 days

Within 45 days

Within 30 days

Low

Within 30 days

Within 60 days

Within 60 days

 

6.2. Exceptions

If there is a technical reason a system cannot be scanned or remediated please go to the IT Leadership Committee to approve exceptions for Legacy systems or other applications that have compensating controls to mitigate the vulnerability.

 

7. Roles & Responsibilities

Matrix of Tasks and Responsible Groups.

Tasks

It Team

Vendor

Threat identification

X

 

Schedule Scans

X

 

 Generate and Distribute Reports                                                                                                                                                                                                                                                                                                                                                                   

X

X

Mitigate or Remove Threats/Vulnerabilities

X

 

Attack vector identification

X

X

Approve Exceptions

X

 

 

 

8. Non-Compliance

Employees must adhere to the stated requirements. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.