CHNG-08

Have you implemented policies and procedures that guide how security risks are mitigated until patches can be applied?

Explanation

This question is asking whether your organization has formal, documented procedures for managing security risks during the period between when a vulnerability is discovered and when it can be patched. In an ideal world, all vulnerabilities would be patched immediately upon discovery. However, in reality, there are often delays between vulnerability identification and patch deployment due to testing requirements, maintenance windows, vendor patch availability, or operational constraints. During this gap period, systems remain vulnerable, creating security risks. The question seeks to understand if you have a systematic approach to mitigate these interim risks. Such policies might include implementing temporary workarounds, adding additional monitoring, restricting access, or applying compensating controls until the permanent fix (patch) can be deployed. This is being asked in a security assessment because unpatched vulnerabilities represent a significant attack vector. Organizations with mature security practices don't just rely on patching alone but have a comprehensive vulnerability management program that includes interim risk mitigation strategies. This demonstrates a proactive approach to security rather than a purely reactive one. To best answer this question, you should describe your formal policies for vulnerability management, specifically highlighting the interim risk mitigation procedures. Include details about how risks are assessed, who is responsible for implementing mitigations, what types of mitigations are typically employed, and how these mitigations are tracked and verified. If possible, reference specific policy documents and provide examples of how these procedures have been applied in practice.

Example Responses

Example Response 1

Yes, we have implemented a comprehensive Vulnerability Management Policy that includes specific procedures for interim risk mitigation When vulnerabilities are identified but cannot be immediately patched, our Security Operations team conducts a risk assessment to determine appropriate compensating controls These may include network segmentation, implementing WAF rules, additional logging and monitoring, or temporary feature disablement Each vulnerability is tracked in our vulnerability management system with assigned risk ratings, mitigation plans, and target remediation dates For critical vulnerabilities, we implement a 'virtual patching' approach using our IDS/IPS systems while patches are being tested All interim mitigations require approval from our Security Officer and are documented in our risk register until permanent remediation is complete These procedures are reviewed annually and were last updated in January 2023.

Example Response 2

Yes, our organization has established a formal Risk Mitigation Policy (document #SEC-VM-003) that specifically addresses the period between vulnerability discovery and patch implementation Our process includes three tiers of interim controls based on CVSS scores: For critical vulnerabilities (CVSS 9.0-10.0), we implement immediate isolation of affected systems or services if patches cannot be applied within 24 hours For high vulnerabilities (CVSS 7.0-8.9), we deploy compensating controls such as enhanced monitoring, access restrictions, or firewall rules within 72 hours if patching will be delayed For medium vulnerabilities (CVSS 4.0-6.9), we document accepted risks and implement additional detective controls until the next patch cycle All interim mitigations are documented in our risk management platform, assigned to specific owners, and reviewed weekly by our security team until permanent remediation is complete This approach has successfully protected our systems during the recent Log4j vulnerability when patches were not immediately available for all affected systems.

Example Response 3

No, we do not currently have formal policies specifically addressing interim risk mitigation between vulnerability discovery and patching Our current approach is to patch vulnerabilities as quickly as possible according to our standard patch management schedule (critical patches within 7 days, high within 14 days, medium within 30 days) When patches cannot be applied within these timeframes, we handle each situation on a case-by-case basis, but we do not have documented procedures for implementing or tracking compensating controls We recognize this as a gap in our security program and are currently developing a more comprehensive vulnerability management framework that will include interim risk mitigation procedures We expect to have this new policy implemented within the next quarter.

Context

Tab
Organization
Category
Change Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron