Escalation Processes¶
Standard remediation and escalation procedures¶
As soon as we discover a vulnerability, the Vulnerability Management team will look to escalate to the correct team or individual. The process and individuals that are contacted will depend on the risk level of the vulnerability.
Critical vulnerabilities¶
- immediate notification: we’ll notify the Security Incident Management team or senior management of critical vulnerabilities that have surfaced
- rapid containment: we’ll suggest temporary measures to mitigate the risk (for example, disabling affected services, applying workarounds)
- root cause analysis: we’ll initiate a thorough investigation to determine the cause of the vulnerability, and record the investigation in a report
- remediation: we’ll develop a remediation plan with the service maintainers/owners to address the vulnerability permanently, and track the vulnerabilities in DfE's vulnerability management reporting.
High vulnerabilities¶
- Prioritised response: we’ll escalate to the appropriate engineering team
- Risk assessment: we’ll evaluate the potential impact and likelihood of exploitation in a risk assessment, and share with maintainers, owners and stakeholders
- Remediation planning: we’ll develop a remediation plan with the service owners and development team to address the vulnerability permanently, and track the vulnerabilities in DfE's vulnerability management reporting
Medium and low vulnerabilities¶
- Prioritised response: we’ll advise maintainers and owners on how to address vulnerabilities based on their risk level and available resources
- Remediation planning: we’ll include these vulnerabilities in DfE's vulnerability management program reporting
Urgent vulnerability escalation procedures¶
If the standard procedures we follow are not effective we will follow vulnerability escalation procedures to ensure that the issues are fixed in good time.
Reporting¶
All vulnerabilities are reported in central dashboards, categorised by service. These will be reported directly to the Deputy Director responsible for the service by the Cyber and Information Security Officer (CISO).
We currently collect data on open vulnerabilities for SAST (Static Analysis Security Testing), SCA (Software Composition Analysis), Qualys infrastructure scans (Azure Virtual Machines), and vulnerabilities reported through the Vulnerability Disclosure Programme (VDP).
Escalation steps¶
If the standard remediation and escalation procedures are followed and vulnerabilities fail to be fixed within reasonable timeframes, the issue will be escalated according to the table below.
| Risk level | # days since discovered | Action |
|---|---|---|
| Critical | 10 | Vulnerability Management (VM) Lead reports issue to Service Owner and delivery team to discuss immediate remediation. A ticket is raised in ServiceNow and a message is sent in Teams or Slack to the Service Owner. |
| Critical | 20 | VM Lead and Cyber and Information Security Division (CISD) Head of Cyber Operations (G6) will raise any progress issues with the Service Owner and their management/SMT (G6). A Teams call will be organised including all involved to discuss remediation and a follow up email with actions and discussion points are sent to attendees. |
| Critical | 30 | The CISO will be notified of failure to fix and will raise a concern with the relevant Deputy Director (DD). The issue is raised in a formal email and discussion, all details are provided and the CISO will engage with the DD. |
| High | 20 | VM Lead reports issue to Service Owner and delivery team to discuss immediate remediation. A ticket is raised in ServiceNow and a message is sent in Teams or Slack. |
| High | 30 | VM Lead and Cyber and Information Security Division (CISD) SMT (G6) will raise any progress issues with the Service Owner and their management/SMT (G6). A Teams call will be organised including all involved to discuss remediation and a follow up email with actions and discussion points are sent to attendees. |
| High | 60 | The CISO will be notified of failure to fix and will raise a concern with the DD. The issue is raised in a formal email and discussion, all details are provided and the CISO will engage with the DD. |
Tracking¶
While the continuous assurance platform has been designed to track misconfigurations and vulnerabilities in our stack, there is still a need to track vulnerabilities that have been triaged to ensure there is visibility over the time it takes to fix a vulnerability, reasons why vulnerabilities are not being fixed within a reasonable time and the effectiveness of the escalation process. In this case, the Vulnerability Management team will track their work in Azure DevOps for each vulnerability triaged to a team.