Vulnerability Management Policy

All Silessian Software owned and/or managed Information Resources must use the Silessian Software IT management approved endpoint protection software and configuration.
All non-Silessian Software owned workstations and laptops must use Silessian Software IT management approved endpoint protection software and configuration, prior to any connection to a Silessian Software Information Resource.
The endpoint protection software must not be altered, bypassed, or disabled.
Each email gateway must utilize Silessian Software IT management approved email virus protection software and must adhere to the Silessian Software rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
Controls to prevent or detect the use of known or suspected malicious websites must be implemented.
All files received over networks or from any external storage device must be scanned for malware before use.
Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to Silessian Software IT Support.

Documented baseline configurations for Information Resources must include log settings to record actions that may affect, or are relevant to, information security.
Event logs must be produced based on the Silessian Software Logging Standard and sent to a central log management solution.
A review of log files must be conducted periodically.
All exceptions and anomalies identified during the log file reviews must be documented and reviewed.
Silessian Software will use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
Log files must be protected from tampering or unauthorized access.
All servers and network equipment must retrieve time information from a single reference time source on a regular basis so that timestamps in logs are consistent.
All log files must be maintained for at least one year.

The Silessian Software IT team maintains overall responsibility for patch management implementation, operations, and procedures.
All Information Resources must be scanned on a regular basis to identify missing updates.
All missing software updates must be evaluated according to the risk they pose to Silessian Software.
Missing software updates that pose an unacceptable risk to Silessian Software Information Resources must be implemented within a time period that is commensurate with the risk as determined by the Silessian Software Vulnerability Management Standard.
Software updates and configuration changes applied to Information Resources must be tested prior to widespread implementation and must be implemented in accordance with the Silessian Software Change Control Policy.
Verification of successful software update deployment will be conducted within a reasonable time period as defined in the Silessian Software Vulnerability Management Standard.

Penetration testing of the internal network, external network, and hosted applications must be conducted at least annually or after any significant changes to the environment.
Any exploitable vulnerabilities found during a penetration test will be corrected and re-tested to verify the vulnerability was corrected.

Vulnerability scans of the internal and external network must be conducted at least quarterly or after any significant change to the network.
Failed vulnerability scan results rated at Critical or High will be remediated and re-scanned until all Critical and High risks are resolved.
Any evidence of a compromised or exploited Information Resource found during vulnerability scanning must be reported to the Silessian Software Information Security Officer and IT support.
Upon identification of new vulnerability issues, configuration standards will be updated accordingly.

About Us