Vulnerability

Management
Procedure
 VULNERABILITY MANAGEMENT PROCEDURE

DOCUMENT DISTRIBUTION AND REVIEW HISTORY

Document Control
Role NAME
Classification INTERNAL
Document Title Vulnerability Management Procedure
Document Owner Information Security Department
Author(s) Security Services
Document Date 15/08/2023
Reviewed By Abdullah Alahmari

Approval
Department Role Name Signature
Information Security IS Director Mohammed Al-
Department Washmi
CEO Office CEO Dr.Bandar AlHaqbani

Change Record
Date Author Version Change Reference
15/08/2023 Manar Alshehri 1.0 Initial version
24/08/2023 Abdullah Alahmari 1.0 Final review
24/08/2023 Mohammed Al- 1.0 Final review
Washmi

Distribution
Department Role Name
Share Services Division
Technical Deilivery Division
Development Division

TCC Internal P a g e 2 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

Proprietary Information:

This document is property of Technology Control Company, and it is

classified as INTERNAL. Distribution, disclosure, sharing, copying, or
publishing of any or all of this documents’ content internally, or
externally, may only be authorized if you have been granted
appropriate permission from the Information Security Department.

TCC Internal P a g e 3 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

Table of Contents
1. Purpose....................................................................................................................................5
2. Scope........................................................................................................................................5
3. Procedure................................................................................................................................5
4. Flow Chart............................................................................................................................11
5. Associated Documents..........................................................................................................12
6. Appendix A - Vulnerability Severity criteria based on CVSS.........................................12
7. Appendix B – Resolution Rating.........................................................................................12
8. Appendix C - Vulnerability Remediation Timeframe......................................................13
9. Document Repository...........................................................................................................13

TCC Internal P a g e 4 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

1. Purpose

The purpose of the underlying procedure is to establish requirements for controlled access
(temporary or permanent) to the resources of TCC that contain sensitive or limited access data.
This procedure describes the method to describe and implement vulnerability management
within TCC.

2. Scope

This procedure applies to all external and internal systems of TCC.

3. Procedure

Step Action Performed By

1 Information assets to be discovered and identified which shall be
classified and grouped for the scope of the vulnerability
assessment. Scope of vulnerability scanning shall be identified
based on one of the following:
 Changes in computing environment, such as installation of new
device or publishing new service.
Information
 Vulnerability scanning request based on Incident Report, Threat
Technology
Intelligence report or observations from interested party of Department
symptoms that might affect TCC Systems.
 Security publication / announcement from vendors about new
vulnerabilities discovered for the asset identified from the
discovery scan.
 Periodic scanning based on regulatory requirements and
capacity planning for the assets.
2 Use of automated tool to perform assets discovery in TCC Information
Security
environment in case new assets / services have been published
Department –
without being tested.
VA PT Team
3 Confirm the assets identified from the asset discovery scan with
Asset Owner
Information Security department.
4 Tag assets in groups based on the systems criticality categories Information
identified in information asset inventory. Security

TCC Internal P a g e 5 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

Step Action Performed By

Department –
VA PT Team
5 Scanning solution will be used to conduct Vulnerability Assessment
periodically against systems in scope. The tool shall carry out the
following activities:
 OS Fingerprinting: Operating Systems of targeted systems shall
be identified to determine related vulnerabilities.
 Detecting Open Ports / Running Services: All ports on the
identified systems shall be scanned to determine the level of the
vulnerabilities associated with those ports. Information
 Mapping the service to various discovered security Security
vulnerabilities: Map the vulnerabilities to each system Department –
according to its version and analyze its impact. VA PT Team
 Verifying if the service on the host is vulnerable to an attack or
if it has been patched: Identify the patching and hardening level
for each system. Whenever possible, all scans need to be
conducted during non-critical / non-operational hours. Any
extensive security scan activity that might potentially affects
the normal behavior of any services need to be arranged with
the assets’ owners.
6 After completing the Scan, information will be then thoroughly Information
analyzed to know how attackers can take advantages of these Security
Department –
vulnerabilities, how this might affect TCC, eliminate false positives
VA PT Team
and ensure that vulnerabilities are effectively prioritized (according
to their severity level) to organize remediation efforts in a later
stage.
Vulnerability Severity shall be classified in accordance with the
vulnerability management policy, also, see Appendix A -
Vulnerability Severity criteria based on CVSS.
IT Department need to consider the resolution rating to consider
how quick the remediation shall be implemented. Such as:
 Asset Criticality: Assets affected by a vulnerability have
different criticality to TCC, based on information asset
inventory.
 Risk involved with applying the remediation: Identify whether
the fix will affect the functionality of the system, other

TCC Internal P a g e 6 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

Step Action Performed By

network components or will introduce new vulnerabilities in
the environment, see Appendix B – Resolution Rating.

Information Security Department – VA PT Team will prepare the

following reports after each assessment activity to be shared with
assets’ owners and custodians as well as IT department; share
encrypted Vulnerability Report with associated parties (Asset
Owners and Custodians) via TCC Email, and decryption key via
different communication channel. Different parties shall not be
looped in the same email:
 Executive Report that summarizes the security posture of target
systems highlighting the major discovered vulnerabilities, existed
risks and priorities for remediation and treatment actions. This
report will include:
 Graphs that represent discovered vulnerabilities and its
criticality.
 The most critical Vulnerabilities existed on the target
systems.
 Recommendations Summary for the remediation and
correction actions.
 Technical Report that shows the details of discovered
vulnerabilities, associated threats, impact and how to mitigate
them. Report sections will include detailed description of each
vulnerability discovered; this will include:
 Vulnerability name, reference, severity level, description,
threat, Impact, and recommendations (workaround,
patching, missing configuration, etc.).
7 Applying the right Severity and Resolution Level, the team will
become more aware of which vulnerabilities to mitigate first and
the urgency of applying associated remediation. Setting priorities
IT Department
for which systems to patch in what order is essential for an
effective patch process. See Appendix C - Vulnerability
Remediation Timeframe.

TCC Internal P a g e 7 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

Step Action Performed By

8 Test the remediation patching in a testing environment. If the test IT, IS, Asset
is successful, proceed to step 9. Otherwise, re-plan the remediation owner, and
actions. Asset custodian
9 There are multiple approaches when applying remediation actions. IT Department
These approaches include, Security Patch Installation,
Configuration Adjustment, Software Removal or utilizing a
compensating control if the vulnerability could not be fixed.
 Security Patch Installation: Applying a security patch (also called
a “fix” or “hotfix”) repairs the vulnerability. Patches contain code
that modifies the software application to address and eliminate
the problem. Patches downloaded from vendor Web sites are
typically the most up-to date and are likely free of malicious
code (most trusted).
 Configuration Adjustment: Adjusting how an application or
security control is configured can effectively block attack vectors
and reduce the threat of exploitation. Common configuration
adjustments include disabling services and modifying privileges, as
well as changing firewall rules and modifying router access
controls. Settings of vulnerable software applications can be
modified by adjusting file attributes or registry settings. Asset
Custodian need to follow “Change Management” processes when
modifying settings on target systems.
 Software Removal: Removing or uninstalling the affected
software or vulnerable service eliminates the vulnerability and
any associated threat. This is a practical solution when an
application is not needed on a system. Determining how the
system is used, removing unnecessary software and services, and
running only what is essential for the system’s purpose is a
recommended security practice (Security Hardening). Asset
Custodian need to follow “Change Management” processes when
modifying settings on target systems.
 Compensating Controls: Sometimes custodians cannot apply
mitigation controls directly on the affected systems because of
compatibility or criticality reasons. In this case, TCC might invest
in a new technology / control that can help in reducing the risk
associated with the reported vulnerabilities. Such as installing

TCC Internal P a g e 8 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

Step Action Performed By

WAF to protect against web attacks to systems with compatibility
issues with other applications that might affect critical business
operations.
Note:
Information Security director shall accept exceptions on certain
vulnerabilities and approve not to remediate them after obtaining
approval from Asset Business Owner, Technical Owner to ensure
legacy applications and systems and other infrastructure assets
does not undergo downtime. For example, if vulnerability
mitigation cost is more than losses resulted in exploitation of the
associated vulnerability.
10 Verify that all reported vulnerabilities were mitigated as intended.
Verification could be accomplished by re-running the test against
the target. This is the main method to be considered. If this is not
available, Information Security Director can utilize one of the
Information
following methods: Security
 Verify that the files or configuration settings that were Department –
intended to fix the vulnerability have been changed as stated VA PT Team
in the vendor’s documentation / SOC recommendations.
 Verify whether the recommended patches were installed
properly by requesting the associated system logs.
11 Understanding and managing new vulnerabilities shall be done Information
continuous activity, requiring significant time, attention, and Security
Department –
resources. Information Security Department need to continuously
VA PT Team
acquire, assess, and take action on new information in order to
identify vulnerabilities, remediate, and minimize the window of
opportunity for attackers. Key controls to improve Vulnerability
Management include the following, where applicable:
 Update signatures of scanning tools used on daily basis and
especially before scanning.
 Ensure that scanning tools has an updated Assets information
for all systems within scanning scope.
 Update / Maintain Vulnerability Management policies and
procedures.
 Continuous monitoring the status of vulnerabilities,

TCC Internal P a g e 9 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

Step Action Performed By

remediations, and threats. The most common types of
resources are as follows:
 Enterprise patch management solutions to obtain all
available patches from supported vendors.
 Vendor Web sites and Mailing Lists to obtain all available
patches from vendors not supported by the enterprise
patch management solutions.
 Vulnerability scanners and databases to obtain immediate
information on all known vulnerabilities and suggested
remediations.
 Third Party Websites and Mailing Lists that highlight the
most critical vulnerabilities.
 Subscribe to Threat Intelligence Feeds that highlight critical
vulnerability Information.
 Conduct regular meetings with other custodians to:
 Ensure the support and commitment from custodians to
Vulnerability Management activities by providing all
access / permissions needed to conduct Vulnerability
Assessment.
 Verify that all remediation actions have been applied.
 Performance of Vulnerability Remediation activities.
 Ensure that documented procedures followed adequately.
 Identify additional tools or resources needed to detect,
analyze, and mitigate future Vulnerabilities.
These meetings should produce a set of objective and subjective
data regarding Cyber Security Effectiveness. Over time, the
collected data should be useful in several capacities.
12 Information
Report the status, aging and the impact of vulnerabilities to TCC Security
assets Department –
VA PT Team

TCC Internal P a g e 10 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

4. Flow Chart

TCC Internal P a g e 11 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

5. Associated Documents

 Vulnerability Management Policy.

 Operation Security Policy.
 Log Management Procedure.
 Incident Management Policy.
 Incident Management Procedure.
 Incident Management Process.

6. Appendix A - Vulnerability Severity criteria based on CVSS

SEVERITY DESCRIPTION
The plugin's highest vulnerability CVSSv2 score is
Very High
10.0
The plugin's highest vulnerability CVSSv2 score is
High
between 7.0 and 9.9
The plugin's highest vulnerability CVSSv2 score is
Medium
between 4.0 and 6.9
The plugin's highest vulnerability CVSSv2 score is
Low and Very Low
between 0.1 and 3.9
The plugin's highest vulnerability CVSSv2 score is
Info 0. Or, the plugin does not search for
vulnerabilities.

7. Appendix B – Resolution Rating

RESOLUTION DESCRIPTION
 Criticality of associated system is Mission Critical or Critical
Quick
 Quick to resolve, with simple change to device or system configurations
 Criticality of associated system is Medium
Planned
 Could cause disruption to services
 Criticality of associated system is Low
 Would most likely cause disruption to network services, and possibly the
Involved
modification of other network device configurations
 Would require initiating a project or involve external party (e.g. vendor)

TCC Internal P a g e 12 | 13
 VULNERABILITY MANAGEMENT PROCEDURE

8. Appendix C - Vulnerability Remediation Timeframe

Severity
Resolution Low and
Very High High Medium Info
Very Low
Within 2
Quick Within 2 days Within 5 days Within 10 days
months Based on
Within 10 Within 20 Within 6 Technical
Planned Within 30 days
days days months Owner
Within 30 Within 45 Within 2 Within 12 Judgment
Involved
days days months months

9. Document Repository

 This document can be reached digitally under the following link:

https://portal.tcc-ict.com/policyprocedures

TCC Internal P a g e 13 | 13