System/Application Priority Table
| Priority | Frequency | System/Applications |
|---|---|---|
| 1 | Before going live |
- Newly developed web applications or API endpoint which have access to, store, or process confidential data - Newly internet exposed network infrastructure - Internet exposed network infrastructure after significant upgrades or modifications |
| 2 | Every 6 month |
- Internet exposed web applications or API endpoints without active blocking Web Application Firewalls (WAF) - Internet exposed web applications or API endpoints with active development and deployment cycles resulting in constant significant changes |
| 3 | Annually |
- Internet exposed network infrastructure (e.g., Firewalls, VPNs, File Transfer Servers, Load Balancers) - Internet exposed web applications and API endpoints which are protected by active WAF - Internal web applications and API endpoint which have access to sensitive data |
| 4 | Bi-Annually | - Internal network infrastructure (e.g., switches, wireless access points) |
| 5 | Not Required |
- End-user devices (e.g., Laptops, workstations) - Internal Printer |
Remediation Timelines by CVSS Score and System Type
| System Type | Common Vulnerability Scoring System (CVSS) V.3.1 | |||
|---|---|---|---|---|
| Critical (≥9.0) | High (7.0 – 8.9) | Medium (4.0–6.9) | Low (≤3.9) | |
| New system | Before going live | Before going live | 45 days after going live | 90 days after going live |
| Internet Facing | 7 days | 15 days | 30 days | 90 days |
| Non-Internet Facing | 30 days | 45 days | 90 days | 120 days |
No comments:
Post a Comment