Scope
This page describes the process and workflow that Deiser follows when a security incident is reported or found.
Departments involved
Deiser has two departments involved in the resolution of an incident, this is the list ordered by response level:
...
Severity of the Issue | CVSS v3 Score | Characteristics | Response time SLA |
---|---|---|---|
Critical | >= 9 |
For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet. | 4 hours |
High
| >=7 |
| 8 hours |
Medium | >=4 |
| 24 hours |
Low | <4 | Vulnerabilities in the low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access. | 72 hours |
Critical and high vulnerabilities:
The way to proceed in order to fix Critical and high vulnerabilities is:
- Identify the exact module on the code that is causing the vulnerability
- Fix whatever is necessary on the code
- Deploy the solution in a test environment and launch the penetration tests and perform the necessary manual tests to assure the problem is fixed
- Deploy an urgent hotfix that will build a new release on Bamboo and will deploy to AWS the new fixed version in a matter of minutes.
Response times will apply since the date and time when the ticket to Service Desk is opened.
...