Vulnerability Management Policy
Document ID: DPWAT-ISMS-POL-011 Version: 1.1 Owner: Administrator + Process Owners — Anna Boros; Timo Andreas Bejan Approved by: Administrator (ADM) — Anna Boros Effective date: 2025-10-15 Next review: 2027-02-01 (or on major change)
1. Policy
DP WAT manages technical vulnerabilities through automated patching and alert-based response, proportionate to company size and cloud-first model.
2. Approach
DP WAT uses automated updates and alert-based response rather than proactive vulnerability scanning:
| Area | Mechanism | Response |
|---|---|---|
| Endpoints (macOS) | Automatic updates via MDM | Updates applied automatically |
| Code dependencies | GitHub Dependabot on all repos | React to alerts when received |
| Customer environments | AWS CloudWatch / alerting | React to alerts when received |
No proactive scanning is performed. No alert = no action required.
3. Responding to alerts
When a vulnerability alert is received:
- Assess severity and exploitability in context
- Remediate critical vulnerabilities promptly
- Accept or defer low-risk vulnerabilities where remediation is impractical
- If significant, follow incident response procedure