Owner: Security Engineering · Tools: Tenable Nessus, Amazon Inspector, Qualys WAS · Review Cycle: Quarterly
Vulnerability management is a continuous process of discovering, classifying, prioritising, and remediating security weaknesses across the entire technology estate. The programme covers infrastructure (servers, network devices), endpoints, cloud workloads, and web applications.
| Scope | Tool | Frequency | Authenticated? |
|---|---|---|---|
| On-prem servers (Windows/Linux) | Tenable Nessus | Weekly | Yes — domain credentials |
| Network devices | Tenable Nessus | Weekly | Yes — read-only SNMP/SSH |
| Corporate endpoints | MDE Threat & Vulnerability Mgmt | Continuous | Yes — agent |
| AWS workloads (EC2, ECR images) | Amazon Inspector | Continuous | Agentless (EC2), registry scan |
| Azure workloads | Microsoft Defender for Cloud | Continuous | Agentless |
| Web applications (external) | Qualys WAS | Weekly + on-release | Authenticated (web login) |
| Container images (CI/CD) | Amazon Inspector / Trivy | Per build | Registry scan |
All vulnerabilities are scored using CVSS v3.1. Remediation SLAs are measured from the date of validated discovery.
| CVSS Score | Severity | SLA — Tier 1 Systems | SLA — Tier 2 Systems | SLA — Tier 3 Systems |
|---|---|---|---|---|
| 9.0–10.0 | Critical | 24 hours | 72 hours | 7 days |
| 7.0–8.9 | High | 7 days | 14 days | 30 days |
| 4.0–6.9 | Medium | 30 days | 60 days | 90 days |
| 0.1–3.9 | Low | 90 days | 180 days | Best effort |
Exception process: Systems unable to meet SLA must have a risk exception raised in ServiceNow GRC, approved by the CISO, with compensating controls documented.
CVSS score is supplemented by CISA KEV (Known Exploited Vulnerabilities) and EPSS (Exploit Prediction Scoring System). Vulnerabilities on the CISA KEV list are treated as Critical regardless of CVSS score.
Scan → Discovery → Validation → Triage → Assign → Remediate → Verify → Close
Nessus/Inspector Analyst Patch Eng Rescan ServiceNow
finds CVE confirms applies fix confirms ticket closed
true positive remediated
Scan results that are not genuine vulnerabilities (version detection error, compensating control in place) may be marked as False Positive with:
Vulnerability findings feed directly into the patching workflow:
| System Type | Patch Tool | Approval Process |
|---|---|---|
| Windows Servers | Windows Server Update Services (WSUS) via Intune / WSUS | CAB — Normal change |
| Linux Servers | Ansible Playbooks (automated) | CAB — Standard pre-approved |
| Network Devices | Cisco SWE / manual via change | CAB — Normal change |
| Endpoints (Win11) | Intune — Windows Update for Business | Pilot ring → Broad (automated) |
| Container Images | Rebuild pipeline triggered | PR + automated CI gate |
| Third-party apps | Vendor-specific, Intune deployment | CAB — Standard |
All code repositories have CodeQL (GitHub) or Semgrep integrated into the CI pipeline. Build fails on findings rated High or Critical.
| Language | Tool | Gate |
|---|---|---|
| Python | Semgrep, Bandit | High+ blocks merge |
| JavaScript/TypeScript | CodeQL, ESLint Security | High+ blocks merge |
| Java | CodeQL, SpotBugs | High+ blocks merge |
| Go | CodeQL, gosec | High+ blocks merge |
| C# / .NET | Roslyn analysers | High+ blocks merge |
| IaC (Terraform, CloudFormation) | Checkov, tfsec | Critical blocks merge |
External web applications are scanned weekly by Qualys WAS and before any major release. Findings are triaged by the Application Security team.
| Test Type | Frequency | Provider |
|---|---|---|
| External Infrastructure Pentest | Annual | External (approved vendor) |
| Web Application Pentest | Annual + major releases | External (approved vendor) |
| Internal Network / AD Pentest | Annual | External (approved vendor) |
| Red Team Exercise | Biennial | Specialist red team vendor |
| Cloud Configuration Review | Annual | External |
Pentest reports and remediation tracking are maintained in SharePoint (Security > Penetration Testing).
The following metrics are reported to the CISO monthly and the board quarterly:
| Metric | Target | Current |
|---|---|---|
| % Critical vulns remediated within SLA | 100% | 98% |
| % High vulns remediated within SLA | 95% | 94% |
| Mean Time to Remediate (Critical) | < 48 hours | 36 hours |
| Mean Time to Remediate (High) | < 10 days | 8.5 days |
| Open risk exceptions (approved) | < 10 | 7 |
| Scan coverage (authenticated) | > 98% | 97.4% |
| CISA KEV items outstanding | 0 | 0 |
https://cloud.tenable.com (SSO via Entra ID)https://itsm.internal/vulnhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog