Security Incident Response Policy
Scope
This page describes the process and workflow that Deiser follows when a security incident is reported or found.
Departments involved
DEISER has two departments involved in the resolution of an incident, this is the list ordered by response level:
Support: is the first level of support. Different work shifts are established in order to have 24/7 response. Support employees will resolve the incidents, given they are able to, in the times specified in the SLA agreement.
Development: the second level of support. If an incident cannot be resolved by the Support department, the incident will be assigned to the development department. This department has a deeper knowledge of the system and can change everything in the code even do hotfixes and quick releases.
Incidents definition and classification
The following table describes the classification of the levels of incidents ordered by priority and the description about them.
Severity of the Issue | CVSS v3 Score | Characteristics | Response time SLA |
---|---|---|---|
Critical | Â >= 9 |
For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet. | 4 hours |
High | >=7 |
| 8 hours |
Medium | >=4 |
| 24 hours |
Low | <4 | Vulnerabilities in the low range typically have very little impact on an organisation's business. Exploitation of such vulnerabilities usually requires local or physical system access. | 72 hours |
Critical and high vulnerabilities:
The way to proceed in order to fix Critical and high vulnerabilities is:Â
Identify the exact module on the code that is causing the vulnerability
Fix whatever is necessary on the code
Deploy the solution in a test environment and launch the penetration tests and perform the necessary manual tests to assure the problem is fixed
Deploy an urgent hotfix that will build a new release on Bamboo and will deploy to DigitalOcean the new fixed version in a matter of minutes.
Response times will apply since the date and time when the ticket to Service Desk is opened.
Non-critical vulnerabilities
When a security issue of a High, Medium or Low severity is discovered, DEISER will include the fix in the next scheduled maintenance release.
You should upgrade your installation in order to fix the vulnerability.