VULNERABILITY MANAGEMENT POLICY

Objectives

To prevent exploitation of technical vulnerabilities by ensuring:

  • Information about technical vulnerabilities is obtained in a timely fashion.
  • GrowMore Recruitment evaluates exposure to vulnerabilities.
  • Appropriate measures are taken to address risks associated with vulnerabilities.
  • Only approved personnel may install approved software.

Scope

This policy applies to GrowMore Recruitment:

  • infrastructure resources within Fozzy 
  • product application code and resources used for the purpose of supporting the following product offerings: GrowMore Recruitment and GrowMore Marketing software applications

Policy

Software Installation

Only approved users may install software on scoped systems.

Penetration Testing

GrowMore Recruitment conducts weekly reverse reachability tests and annual third-party penetration tests against system-level vulnerabilities. These penetration tests produce reports of vulnerabilities, which are subsequently tracked to remediation in a timeline, depending on item scope and severity.

These penetration tests are in addition to, not a replacement for, other vulnerability monitoring strategies described below. Penetration tests provide an effective third-party evaluation of GrowMore Recruitment internal vulnerability management procedures. GrowMore Recruitment uses the results of penetration tests to improve these internal processes.

Operating System

Infrastructure staff monitor the security announcement mailing list for GrowMore Recruitment’s distribution of choice. Newly published operating system vulnerabilities, as well as instructions for their remediation, are published to these internal lists.

Once a potential operating system vulnerability is detected, operations staff evaluate the potential risks associated with the vulnerability. If the vulnerability is legitimately exploitable, a patch or temporary mitigation will be rolled out within one week, typically sooner. This process may result in an Information Security Incident being raised.

Application

Source Code: In addition to weekly internal and annual external penetration tests for system level vulnerabilities, developers evaluate changes made to application code. 

Dependencies: Vulnerabilities detected above a certain severity block the application build from continuing, forcing developers to address those vulnerabilities immediately. The impact of vulnerabilities is assessed by developers and may result in patches, dependency upgrades, or other temporary mitigation measures, in addition to potential emergency releases to resolve vulnerabilities. This process may result in an Information Security Incident being raised.

Responsibilities

Infrastructure staff is responsible for the monitoring, evaluation, and treatment of system-level vulnerabilities. Developers are responsible for the monitoring, evaluation, and treatment of application-level vulnerabilities.