|
POLÍTICA DE GESTIÓN DE AMENAZAS Y VULNERABILIDADES
IT-DOC-13 Versión: 1 Fecha de creación: 15/03/2021 Fecha de actualización: 11/05/2026 |
![]() |
Table of Contents
1. Scope
2. Definitions
3. Threat & Vulnerability Policy
4. External Penetration testing
5. Threat Detection
5.1 Threat Monitoring
5.2 Scanning Tool management
6. Vulnerability Reporting
6.1 Remediation
6.2 Exceptions
7. Roles & Responsibilities
8. Non-Compliance
1. Scope
Security will select and prioritize the system/application, based on their criticality. Production servers, databases, and applications on internally facing systems are in scope for monthly vulnerability assessments.
2. Definitions
Vulnerability - In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to perform unauthorized actions.
3. Threat & Vulnerability Policy
MSC IT Security monitor various threat sources and risks to MSC Technology. The Security Team identifies threats and communicates the vulnerabilities to the IT Operations Team.
The assessment may be carried out in-house, by an external company or a combination of both and cover the following:
- Assessment of the security of all routes into the organization’s internal network from the Internet
- Externally facing web servers
- Business critical servers on the internal network
- A selection of typical user computers
4. External Penetration testing
MSC IT Leadership Committee will schedule external scans of network perimeter on an annual basis. These scans will be conducted by a third party, authorized by management. The results will be presented to the CSO and IT Management to evaluate and ensure risks are remediated.
5. Threat Detection
5.1. Threat Monitoring
IT Security Team will proactively research emerging threats and potential attacks to ensure that MSC Technology infrastructure, servers and application are protected with secure configuration and latest patching.
5.2. Scanning Tool Management
The Security Team ensures that vendor scanning tools are configured with most recent threat intelligence information. Customized configurations will minimize false positives when actively probing system and applications.
Rescans can be requested when major changes occur to software or new devices need security configurations validated.
6. Vulnerability Reporting
Vulnerability reports are reviewed on the IT Department in a daily basis in look of any suspicious event. threat & vulnerability Remediation
6.1. Remediation
Server or Application Administrators shall perform corrective action within these timelines. IT Leadership will be sent reports that summarizes the status and progress of remediation efforts.
|
Criticality Rating |
Evaluate |
Remediate |
Request Exception |
|
High |
Within 5 days |
Within 30 days |
Within 30 days |
|
Medium |
Within 10 days |
Within 45 days |
Within 30 days |
|
Low |
Within 30 days |
Within 60 days |
Within 60 days |
6.2. Exceptions
If there is a technical reason a system cannot be scanned or remediated please go to the IT Leadership Committee to approve exceptions for Legacy systems or other applications that have compensating controls to mitigate the vulnerability.
7. Roles & Responsibilities
Matrix of Tasks and Responsible Groups.
|
Tasks |
It Team |
Vendor |
|
Threat identification |
X |
|
|
Schedule Scans |
X |
|
|
Generate and Distribute Reports |
X |
X |
|
Mitigate or Remove Threats/Vulnerabilities |
X |
|
|
Attack vector identification |
X |
X |
|
Approve Exceptions |
X |
8. Non-Compliance
Employees must adhere to the stated requirements. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
