Vulnerability & Patch Management
This policy is about finding weaknesses in Holmes systems before attackers do, and fixing them on a clock. It sets up regular scanning, penetration testing, and patch deadlines so vulnerabilities don't accumulate.
1. Finding vulnerabilities
| Ref |
Requirement |
| VULN.1 |
Internal and external vulnerability scanning MUST run on a regular schedule (indicative: external monthly, internal quarterly) and after significant change. |
| VULN.2 |
Penetration testing MUST be done at least annually and after major change, by a competent independent party. |
| VULN.3 |
Scanning and testing MUST cover endpoints, servers, network devices, cloud and tenant configuration (04 CLD.12), and code and pipelines (09). |
| VULN.4 |
Findings MUST be consolidated, deduplicated, prioritised, and tracked to closure in a single register. |
| Ref |
Requirement |
| VULN.5 |
Vulnerabilities MUST be remediated within severity-based timelines. Indicative targets, to be ratified: critical 7 days, high 30 days, medium 90 days. Actively exploited criticals: immediately. |
| VULN.6 |
Where remediation can't meet the SLA, a documented, time-boxed exception with compensating controls MUST be recorded (00, section 7). |
| VULN.7 |
Internet-facing and broadly accessible systems MUST be prioritised. |
3. Patching
| Ref |
Requirement |
| VULN.8 |
Operating systems and applications MUST stay on vendor-supported versions and be patched on a managed schedule, automated where possible. |
| VULN.9 |
End-of-life systems MUST be on a remediation or migration roadmap prioritised by exposure (07 NET.14). Where an EOL system must persist, it MUST be isolated and risk-accepted. |
| VULN.10 |
Third-party and non-Microsoft software, including runtimes and browsers, MUST be in patch scope, not just OS updates. |
4. Baselines and configuration
| Ref |
Requirement |
| VULN.11 |
Hardened configuration baselines MUST be maintained for OS builds, network devices, and cloud tenants, aligned to recognised benchmarks such as CIS. |
| VULN.12 |
Configuration drift from baseline MUST be detected and remediated as part of the scanning cycle. |
5. Governance
| Ref |
Requirement |
| VULN.13 |
Vulnerability status and SLA compliance MUST be reported to the CIO periodically, with material risks escalated to the risk register. |
| VULN.14 |
Newly identified vulnerabilities MUST be added to the security risk register with an owner and treatment (00). |
6. Legal & jurisdictional notes
A documented vulnerability-management programme is core evidence of reasonable security safeguards (NZ IPP5), reasonable steps (AU APP 11), and appropriate technical measures (GDPR Art. 32). Its absence is a compliance exposure in itself, independent of any breach.
Timely patching of internet-facing systems (VULN.7) is regularly examined in cyber-insurance underwriting and client due diligence.
00 Framework, 07 Network & Infrastructure, 09 Secure Development, 11 Logging & Monitoring.