9-4 Information Technology Professionals Policy - Section XII: Technical Vulnerability Management Policy
What’s on this Page
Section XII: Technical Vulnerability Management Policy
Read next: Section XIII: Third Party Security Policy
XII. Technical Vulnerability Management Policy
This Policy ensures that relevant security vulnerabilities are identified, evaluated and corrected through an appropriate risk management process.
- Control of Technical Vulnerabilities
Local Information Service Providers must establish and maintain a process for detecting and remediating vulnerabilities. The process must include:
- Monitoring independent security research and vendor announcements for the availability of security updates.
- Developing risk appropriate criteria for the timely application of vendor security updates taking into consideration:
- The purpose of the system being patched, its criticality, and the level of patch support provided by 3rd party line of business application vendors;
- The history of the system being patched, in particular, any unplanned outages that occurred as a result of previously applied patches;
- The impact of successful exploits of the vulnerability on the security of client data and County of Sonoma business operations should the update not be applied;
- The categorization of any Local Agency data maintained on affected systems (e.g. Confidential or Restricted).
- Maintaining risk assessment reports of systems that cannot be remediated.