9-4 Information Technology Professionals Policy - Section XII: Technical Vulnerability Management Policy

Information Systems Department

What’s on this Page

Section XII: Technical Vulnerability Management Policy

This Policy ensures that relevant security vulnerabilities are identified, evaluated and corrected through an appropriate risk management process.

Control of Technical Vulnerabilities
Local Information Service Providers must establish and maintain a process for detecting and remediating vulnerabilities. The process must include:
1. Monitoring independent security research and vendor announcements for the availability of security updates.
2. Developing risk appropriate criteria for the timely application of vendor security updates taking into consideration:
  1. The purpose of the system being patched, its criticality, and the level of patch support provided by 3rd party line of business application vendors;
  2. The history of the system being patched, in particular, any unplanned outages that occurred as a result of previously applied patches;
  3. The impact of successful exploits of the vulnerability on the security of client data and County of Sonoma business operations should the update not be applied;
  4. The categorization of any Local Agency data maintained on affected systems (e.g. Confidential or Restricted).
3. Maintaining risk assessment reports of systems that cannot be remediated.