Monday, January 20, 2025

Vulnerability Assessments & Penetration Test (VA/PT) - Timetable

System/Application Priority Table

Priority Frequency System/Applications
1 Before going live - Newly developed web applications or API endpoint which have access to, store, or process confidential data
- Newly internet exposed network infrastructure
- Internet exposed network infrastructure after significant upgrades or modifications
2 Every 6 month - Internet exposed web applications or API endpoints without active blocking Web Application Firewalls (WAF)
- Internet exposed web applications or API endpoints with active development and deployment cycles resulting in constant significant changes
3 Annually - Internet exposed network infrastructure (e.g., Firewalls, VPNs, File Transfer Servers, Load Balancers)
- Internet exposed web applications and API endpoints which are protected by active WAF
- Internal web applications and API endpoint which have access to sensitive data
4 Bi-Annually - Internal network infrastructure (e.g., switches, wireless access points)
5 Not Required - End-user devices (e.g., Laptops, workstations)
- Internal Printer

Remediation Timelines by CVSS Score and System Type

System Type Common Vulnerability Scoring System (CVSS) V.3.1
Critical (≥9.0) High (7.0 – 8.9) Medium (4.0–6.9) Low (≤3.9)
New system Before going live Before going live 45 days after going live 90 days after going live
Internet Facing 7 days 15 days 30 days 90 days
Non-Internet Facing 30 days 45 days 90 days 120 days

No comments:

Post a Comment

Recent Posts