Version: 1.1

Approved By: Richard D’Lonesteen

Created at: 12/10/2023

Purpose

The purpose of the Security Vulnerability Management Policy is to define the responsibilities and outline the procedures to identify, assess, mitigate, and monitor security vulnerabilities in our systems, applications, and services to protect the integrity, confidentiality, and availability of data managed by ChattyAI.

Scope

This policy applies to all employees, contractors, consultants, temporaries, and other workers at ChattyAI, including all personnel affiliated with third parties. This policy covers all software, hardware, and networks owned or employed by ChattyAI.

Definitions

• Vulnerability: A flaw or weakness in a system's design, implementation, operation, or management that could be exploited to violate the system's security policy.
• Vulnerability Management: The cyclical practice involving the identification, classification, remediation, and mitigation of vulnerabilities.

Policy

Identification & Detection

1. Automated Scanning: Regular automated vulnerability scans will be performed on all network devices, servers, endpoint devices, and applications.
   • Scans must be conducted at least bi-monthly or after any significant change in the network.
   • Results will be documented and reviewed by the security team.
2. Manual Testing: Supplement automated scans with manual penetration testing conducted by qualified personnel or third-party services.
   • Perform manual tests at least annually or as determined necessary by risk assessments.
3. Third-Party Reports: Regularly review security advisories and vulnerability alerts from vendors, industry groups, and governmental organizations.
   • Establish a rapid response procedure for addressing critical vulnerabilities identified through third-party sources.

Assessment & Prioritization

1. Risk Assessment: Every identified vulnerability will be assessed to determine its impact and risk level based on:
   • The severity of the vulnerability.
   • The complexity of the exploitation.
   • The potential impact on business operations.
   • The likelihood of the vulnerability being exploited.
2. Vulnerability Classification: Vulnerabilities will be classified into categories such as critical, high, medium, and low, guiding the timeline and priority for response actions.

Remediation & Mitigation