Scope
This page describes the process and workflow that Deiser follows when a security incident is reported or found.
Departments involved
Deiser has two departments involved in the resolution of an incident, this is the list ordered by response level:
...
The following table describes the classification of the levels of incidents ordered by priority and the description about them.
Severity of the Issue | DescriptionCVSS v3 Score | Characteristics | Response time SLA | ||
---|---|---|---|---|---|
P1Critical Critical | Critical Business Impact: Critical issue occurring on production system preventing business operations. A large number of users are prevented from working with no procedural workaround. |
| 1 hour | ||
P2
| Significant Business Impact: Major issue occurring on production system severely impacting business. A large number of users are impacted by issue but they are still able to work in a limited capacity. |
| 4 hours | ||
P3 | Normal Business Impact: Issue causing a partial or non-critical loss of functionality on production system. A small number of users are affected |
| 8 hours | ||
P4 | Minimal Business Impact: issue occurring on non-production system or question, comment, feature request, documentation issue or other non-impacting issue. |
| 24 hours >= 9 |
For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet. | 4 weeks |
High
| >=7 |
| 6 weeks | ||
Medium | >=4 |
| 8 weeks | ||
Low | <4 | Vulnerabilities in the low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access. | 10 weeks |
Response times will apply since the date and time when the ticket to Service Desk is opened.
Response workflow
The diagram below depicts the workflow that Deiser uses for the resolution of an incident, explained by phases:
The categories of the issues created on Deiser’s Service Desk are:
...
Category
...
Description
...
Bug
...
A software’s malfunction that cause an error on the system or a wrong behavior.
...
Improvement
...
A suggestion to improve the plugin or one of its features.
...
New Feature
...
A request for new features
...
Question
...
Non-critical vulnerabilities
When a security issue of a High, Medium or Low severity is discovered, Deiser will include the fix in the next scheduled maintenance release.
You should upgrade your installation in order to fix the vulnerability.