Skip to content

Vulnerability & Patch Management

This policy is about finding weaknesses in Holmes systems before attackers do, and fixing them on a clock. It sets up regular scanning, penetration testing, and patch deadlines so vulnerabilities don't accumulate.

1. Finding vulnerabilities

Ref Requirement
VULN.1 Internal and external vulnerability scanning MUST run on a regular schedule (indicative: external monthly, internal quarterly) and after significant change.
VULN.2 Penetration testing MUST be done at least annually and after major change, by a competent independent party.
VULN.3 Scanning and testing MUST cover endpoints, servers, network devices, cloud and tenant configuration (04 CLD.12), and code and pipelines (09).
VULN.4 Findings MUST be consolidated, deduplicated, prioritised, and tracked to closure in a single register.

2. Remediation SLAs

Ref Requirement
VULN.5 Vulnerabilities MUST be remediated within severity-based timelines. Indicative targets, to be ratified: critical 7 days, high 30 days, medium 90 days. Actively exploited criticals: immediately.
VULN.6 Where remediation can't meet the SLA, a documented, time-boxed exception with compensating controls MUST be recorded (00, section 7).
VULN.7 Internet-facing and broadly accessible systems MUST be prioritised.

3. Patching

Ref Requirement
VULN.8 Operating systems and applications MUST stay on vendor-supported versions and be patched on a managed schedule, automated where possible.
VULN.9 End-of-life systems MUST be on a remediation or migration roadmap prioritised by exposure (07 NET.14). Where an EOL system must persist, it MUST be isolated and risk-accepted.
VULN.10 Third-party and non-Microsoft software, including runtimes and browsers, MUST be in patch scope, not just OS updates.

4. Baselines and configuration

Ref Requirement
VULN.11 Hardened configuration baselines MUST be maintained for OS builds, network devices, and cloud tenants, aligned to recognised benchmarks such as CIS.
VULN.12 Configuration drift from baseline MUST be detected and remediated as part of the scanning cycle.

5. Governance

Ref Requirement
VULN.13 Vulnerability status and SLA compliance MUST be reported to the CIO periodically, with material risks escalated to the risk register.
VULN.14 Newly identified vulnerabilities MUST be added to the security risk register with an owner and treatment (00).

A documented vulnerability-management programme is core evidence of reasonable security safeguards (NZ IPP5), reasonable steps (AU APP 11), and appropriate technical measures (GDPR Art. 32). Its absence is a compliance exposure in itself, independent of any breach.

Timely patching of internet-facing systems (VULN.7) is regularly examined in cyber-insurance underwriting and client due diligence.

00 Framework, 07 Network & Infrastructure, 09 Secure Development, 11 Logging & Monitoring.