Vulnerability & Patch Management Controls

Purpose

Bramble utilizes a risk-based approach to proactively manage the risks associated with vulnerability and patch management that minimize the attack surface of systems, applications and services by regularly assessing the state of all production systems and checking for the most recent vulnerabilities we are aware of.

Scope

This control applies to all systems within our production environment. The production environment includes all endpoints and cloud assets used in hosting Brmbl.io and its subdomains. This may include third-party systems that support the business of Brmbl.io.

External vulnerability scans are conducted by an approved third-party vendor to validate potential vulnerabilities and provide checks and balances against our internally conducted scanning processes. - This control applies to externally facing systems of our production environment that are in-scope for PCI.

Ownership

This control is owned by the SIRT Team.

Controls

Control Number Control Title Control Statement Goal TOD TOE
VPM-02 Vulnerability Remediation Process Bramble Group Corp. has implemented mechanisms to ensure that vulnerabilities are properly identified, tracked and remediated. Does the organization ensure that vulnerabilities are properly identified, tracked and remediated? 1.Examine organizational policies and procedures for requirements to ensure vulnerabilities are properly identified, tracked and remediated.

2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Inspect formal policies, procedures or other relevant documentation to appropriately identify the identification, tracking and remediation of vulnerabilities.

2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to identify and document in accordance to TOD.

3. Pull a population of vulnerability reports.

4. Inspect a sample of evidence to confirm identified vulnerabilities have been tracked, remediated, reviewed and approved according to TOD.
VPM-04 Continuous Vulnerability Remediation Activities Bramble Group Corp. has implemented mechanisms to address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks. Does the organization address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks? 1. Examine organizational policies and procedures for requirements to ensure how to address new threats and regularly and ensure assets are protected.

2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Inspect formal policies, procedures or other relevant documentation to appropriately identify how to address new threats and vulnerabilities.

2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to identify and document in accordance to TOD on a regular basis.

3. Pull a population of vulnerability reports and new threat notifications along with a listing of company-owned assets.

4. Inspect a sample of evidence to confirm identified vulnerabilities have been tracked and remediated ensuring company-managed assets are protected.
VPM-05 Software Patching Bramble Group Corp. has implemented mechanisms to conduct software patching for all deployed operating systems, applications and firmware. Does the organization conduct software patching for all deployed operating systems, applications and firmware? 1. Inspect formal policies, procedures or other relevant documentation that outlines mechanisms used to conduct software patching for all deployed operating systems, applications and firmware. 1. Examine formal policies or other relevant documentation to assess the implementation and adherence of software patching for all deployed operating systems, applications and firmware.

2. Pull a population of all production systems, applications and firmware.

3. Confirm software patching has been implemented on all production systems, applications and firmware.
VPM-06 Vulnerability Scanning Bramble Group Corp. has implemented mechanisms to detect vulnerabilities and configuration errors by recurring vulnerability scanning of systems and web applications. Does the organization detect vulnerabilities and configuration errors by recurring vulnerability scanning of systems and web applications? 1. Inspect formal policies, procedures or other relevant documentation that outlines mechanisms used to detect vulnerabilities and configuration errors.

2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine formal policies, procedures or other relevant documentation to appropriately identify vulnerabilities and configuration errors.

2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to identify and document in accordance to TOD.

3. Pull a population of vulnerability and configuration error reports.

4. Inspect a sample of evidence to confirm identified vulnerabilities and configuration errors have been remediated, rescanned, reviewed and approved according to TOD.
VPM-07 Penetration Testing Bramble Group Corp. has implemented mechanisms to conduct penetration testing on systems and web applications. Does the organization conduct penetration testing on systems and web applications? 1. Inspect formal policies, procedures or other relevant documentation that outlines mechanisms used to conduct penetration testing on systems and web applications.

2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.
1. Examine formal policies, procedures or other relevant documentation to appropriately identify how penetration testing will be conducted.

2. Interview key organizational personnel within Bramble conducting discussions for evidence that mechanisms exist to conduct penetration testing and document in accordance to TOD.
  • Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
  • Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference