Vulnerability and Patching Procedure

Document ID: DPWAT-ISMS-PROC-008 Version: 1.1 Owner: Administrator + Process Owners — Anna Boros; Timo Andreas Bejan Approved by: Administrator (ADM) — Anna Boros Effective date: 2025-11-10 Next review: 2027-02-01 (or on major change)

1. Endpoint patching

macOS devices are enrolled in MDM with automatic updates enabled. No manual patching process required.

2. Code dependency vulnerabilities

All DP WAT GitHub repositories have Dependabot enabled. When an alert is received:

1. Review the alert and assess severity
2. For critical/high: remediate by updating dependency or applying fix
3. For low/informational: accept if not exploitable in context, or defer to next release
4. No alert = no action required

3. Customer environment vulnerabilities

Customer AWS environments have CloudWatch alerting configured. When an alert is received:

1. Assess the alert
2. Remediate or escalate to customer as appropriate
3. Follow incident response if significant

4. Records

No periodic vulnerability log is maintained. Significant vulnerabilities requiring remediation are tracked via:

• GitHub pull requests (for dependency updates)
• Incident records (if severity warrants)
• Customer project records (for customer environment issues)