SID-OPS-04 — Vulnerability Management
| Property | Value |
|---|---|
| Owner | platform |
| Category | process |
| CSF Function | detect |
| Group | Operational Controls |
Description
Formal vulnerability management process: intake, triage, SLAs, patching, and disclosure policy. SBOM monitoring for third-party dependencies. Automated dependency scanning (Dependabot/Snyk) in CI/CD. Management of technical vulnerabilities per defined remediation timelines.
The operator is responsible for the following vulnerability and malware protection measures in the deployment environment:
(1) Endpoint protection: deploy and maintain anti-malware / EDR tooling on all servers and administrative workstations used to manage the wallet infrastructure. Signatures / detection rules MUST be kept up to date. (2) Vulnerability management process: establish a documented process covering intake (CVE feeds, Dependabot alerts), triage (CVSS-based risk rating), remediation SLAs (critical ≤7 days, high ≤30 days, medium ≤90 days), and exception handling with compensating controls. (3) Production configuration scanning: run infrastructure-level vulnerability scans (e.g. OpenSCAP, Trivy for container images) against production deployments on each release. Scan reports MUST be retained as assurance evidence. (4) Patch management: OS, runtime (Go), and dependency patches MUST be applied within remediation SLAs. A patch management log MUST be maintained.
Review criteria: documented process, scan report from most recent deployment, patch management log, endpoint protection configuration evidence.
Source References
Framework Requirements
EUDI Security Requirements: WIN-8.4.3-Sec-03, CS-I.2-Vuln
FitCEM Wallet Instance: FIT-CS-01, FIT-NF-01
ISO 27001 Annex A: A.5.21, A.8.7, A.8.8
OWASP ASVS 4.0.3 Level 3: V1.10, V1.14, V10.1, V10.2, V10.3, V14.1, V14.2
STRIDE Threat Model: CC-T-1