Implementing a vulnerability management process

The CDDO implementing a vulnerability management process activity section outlines how you should manage vulnerabilities during your development lifecycle.

We have produced guides on:

• how to triage vulnerabilities
• assessing risks
• escalation processes

Roles and responsibilities

Service teams and portfolios

It is the responsibility of both service teams and portfolios to follow best practice when creating secure digital services.

To build and maintain secure digital services, you should follow vulnerability management processes. Following these processes means you can find and fix issues quickly, reducing risks to DfE systems and data.

CISD

It is our responsibility to provide support and guidance to digital service teams and portfolios in mitigation planning, vulnerability tracking and risk management.

We will:

• provide guidance on assessing risks
• provide guidance on managing vulnerabilities
• provide guidance on escalation processes
• provide mitigation plan assistance
• provide vulnerability management for critical issues
• run a Vulnerability Disclosure Programme for external security researchers
• run vulnerability scans for virtual machines in Azure