Vulnerability Management Policy - NEO - Global Employment Marketplace Platform

1.0 PURPOSE

This policy establishes a comprehensive Vulnerability Management Program in accordance with ISO 27001:2022 (specifically Annex A.8.8 – Management of technical vulnerabilities) to systematically identify, assess, prioritize, and remediate security vulnerabilities across NEO’s information systems and infrastructure.

The vulnerability management program is integral to maintaining the confidentiality, integrity, and availability of NEO’s critical information systems and data assets. This policy ensures proactive identification and timely remediation of security vulnerabilities to minimize organizational risk and maintain compliance with regulatory and contractual obligations.

This policy supports the organization’s risk management framework and integrates with incident response, change management, and business continuity processes to provide comprehensive security protection.

2.0 SCOPE AND DEFINITIONS

2.1 Scope

This policy applies to all information systems, applications, network infrastructure, and endpoints within NEO’s environment, including:

Internal Systems:

AWS cloud infrastructure and services
SaaS applications and platforms
Endpoint devices (laptops, mobile devices) managed through Kandji MDM/EDR
Network infrastructure and security devices
Development, testing, and production environments
Third-party integrations and APIs

External Systems:

Vendor and supplier systems that process NEO data
Customer-facing applications and services
Third-party cloud services and sub-processors
Partner network connections and integrations

2.2 Definitions

Vulnerability: A weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source
Threat Intelligence: Evidence-based knowledge about existing or emerging threats that can inform security decisions
Risk Rating: A assessment of vulnerability impact and likelihood of exploitation
Remediation: The process of addressing and fixing identified vulnerabilities
Compensating Control: Alternative security measures implemented when primary vulnerability remediation is not feasible

3.0 VULNERABILITY MANAGEMENT FRAMEWORK

NEO implements a comprehensive vulnerability management program based on the following cyclical process in accordance with ISO 27001:2022 requirements:

3.1 Asset Inventory and Discovery

Maintain comprehensive inventory of all information systems and assets
Utilize Kandji MDM/EDR for endpoint asset discovery and management
Leverage AWS Resource Explorer for cloud asset inventory
Regular network discovery scans to identify unauthorized devices
Integration with configuration management databases (CMDB)
Automated asset classification based on criticality and data sensitivity

3.2 Vulnerability Identification and Detection

Vulnerability identification encompasses multiple methodologies and sources:

Automated Vulnerability Scanning:

Internal and external vulnerability scans conducted monthly
Authenticated scanning for systems where credentials are available
Web application security scanning for customer-facing applications
Container and cloud infrastructure vulnerability assessments
Kandji endpoint vulnerability detection and reporting

Threat Intelligence Integration:

Subscription to reputable threat intelligence feeds
Monitoring of vendor security advisories and bulletins
Analysis of emerging threats relevant to organizational assets
Integration of threat intelligence with vulnerability prioritization
Correlation of internal vulnerabilities with external threat landscape

Manual Assessment Methods:

Annual penetration testing by qualified external providers
Code review and static application security testing (SAST)
Dynamic application security testing (DAST)
Architecture and design security reviews
Configuration compliance assessments

3.3 Vulnerability Assessment and Risk Analysis

Risk-Based Vulnerability Assessment: All identified vulnerabilities undergo comprehensive risk assessment considering:

Exploitability and attack complexity
Impact on business operations and data confidentiality/integrity/availability
Existence of compensating controls
Asset criticality and business importance
Threat intelligence correlation and active exploitation indicators
Regulatory and compliance implications

Common Vulnerability Scoring System (CVSS):

Utilize CVSS v3.1 base scores as initial risk indicator
Apply environmental and temporal metrics for context-specific scoring
Consider organizational risk tolerance and asset criticality
Integrate threat intelligence to adjust risk ratings

Asset Criticality Classification:

Critical Assets: Systems processing sensitive data, customer-facing applications, core infrastructure
High Priority: Systems supporting business operations, development environments
Medium Priority: Internal tools, non-production systems
Low Priority: Isolated systems with minimal business impact

3.4 Vulnerability Classification and Prioritization

Risk-Based Prioritization Matrix: Vulnerabilities are prioritized using a comprehensive scoring methodology:

Risk Level	CVSS Score	Business Impact	Remediation Timeline
Critical	9.0-10.0	High business impact, active exploitation	24 hours
High	7.0-8.9	Moderate to high impact, public exploits available	7 days
Medium	4.0-6.9	Limited impact, no active exploitation	30 days
Low	0.1-3.9	Minimal impact, theoretical risk	90 days

Prioritization Factors:

Threat Intelligence: Active exploitation in the wild
Asset Criticality: Impact on business operations
Exploit Availability: Public proof-of-concept or exploit code
Network Exposure: Internet-facing vs. internal systems
Data Sensitivity: Systems processing confidential or regulated data
Compensating Controls: Existing mitigations reducing exploitability

Emergency Response Triggers:

Zero-day vulnerabilities with active exploitation
Vulnerabilities affecting customer data or core business functions
Regulatory or compliance-mandated patches
Vendor-issued emergency security bulletins

4.0 REMEDIATION AND RESPONSE

4.1 Remediation Strategies

Primary Remediation Methods:

Patching and Updates: Apply vendor-provided security patches and software updates
Configuration Changes: Modify system configurations to eliminate vulnerabilities
Compensating Controls: Implement additional security measures when direct remediation is not feasible
System Isolation: Temporarily isolate affected systems from network access
Service Discontinuation: Remove or replace vulnerable services when necessary

Remediation Decision Matrix:

Patch Available: Apply patches according to timeline requirements
No Patch Available: Implement compensating controls and monitor for patches
End-of-Life Systems: Plan for replacement or enhanced compensating controls
Legacy Systems: Assess business justification and implement additional protections

4.2 Remediation Timelines and Service Level Agreements (SLAs)

Remediation SLAs by Risk Level:

Risk Level	Detection to Assessment	Assessment to Remediation	Total Response Time
Critical	2 hours	22 hours	24 hours
High	24 hours	6 days	7 days
Medium	72 hours	27 days	30 days
Low	1 week	11 weeks	90 days

Escalation Procedures:

Critical/High vulnerabilities require immediate notification to VP of Engineering
Management notification required for vulnerabilities affecting customer data
Customer communication plan for vulnerabilities affecting service availability
Vendor engagement procedures for third-party system vulnerabilities

4.3 Remediation and Validation

All issues of non-compliance and related vulnerabilities are to be remediated in accordance with the scheduled risk rating and urgency parameters previously noted. This requires authorized by VP of Engineering personnel to undertake all necessary measures for ensuring the confidentiality, integrity, and availability of NEO’s information systems landscape.

Additionally, all relevant information is to be documented within the NEO Vulnerability Management Worksheet, which should include specific security and technical measures undertaken to correct such issues, along with procedures initiated for confirming the removal of vulnerabilities (i.e., testing systems, re-scanning IP addresses, etc.).

Specifically, for vulnerabilities found when conducting internal and external scans and network layer and application layer tests, these procedures are to be re-performed in a timely manner for ensuring such issues have been removed.

**5. Continuous Monitoring **

Threats to an organization’s information systems landscape and all critical system resources is dynamic in nature, always evolving – ultimately creating enormous challenges for NEO – for which these challenges must be met. It is the policy of this organization that all major areas identified for purposes of vulnerability management are to be regularly monitored in a way that helps in proactively identifying such vulnerabilities.

Specifically, the following is to apply:

User Access Rights: Periodic review of the entire user identity, provisioning, & access rights lifecycle, with findings, analysis, and recommendations reported to senior management within NEO.
Configuration Standards: Periodic review of critical system resources for ensuring the applicable hardening standards are in fact being applied as required, with findings, analysis, and recommendations reported to senior management within NEO.
Network Vulnerabilities: a Structured schedule for automated internal and external scans to be performed, along with network layer and application layer penetration tests, with findings, analysis and recommendations reported to senior management within NEO.

Monitoring for issues of non-compliance and related vulnerabilities is extremely critical, as it allows NEO to address security issues in a proactive manner, helping mitigate harm and damage to the organization’s critical system resources.