Back to governance document pack

Governance document

Vulnerability Management Program

Vulnerability identification, prioritization, remediation, validation, evidence, and reporting.

Download PDF

Vulnerability Management Program

Last updated: 12/14/2025

Purpose

This program defines how CIC identifies, prioritizes, remediates, validates, and reports vulnerabilities affecting applications, APIs, infrastructure, endpoints, third-party dependencies, and production integrations.

Scope

This program applies to:

  • CIC web applications, APIs, notification services, landing pages, and administrative portals.
  • Production infrastructure and cloud configuration.
  • Open-source dependencies and third-party libraries.
  • Container, runtime, operating system, and package dependencies where applicable.
  • Endpoints and corporate devices.
  • Financial, identity, support, messaging, monitoring, and email integrations.

Vulnerability Sources

CIC may identify vulnerabilities through:

  • Dependency scanning.
  • Code review.
  • Static analysis.
  • Dynamic testing.
  • Cloud configuration review.
  • Penetration testing.
  • Independent audits.
  • Vendor notifications.
  • Security advisories.
  • User or researcher reports.
  • Incident investigations.

Severity Ratings

Vulnerabilities must be prioritized based on severity and exploitability.

Severity factors include:

  • CVSS or provider severity.
  • Exposure to the internet.
  • Authentication required.
  • Data sensitivity.
  • Financial or transaction impact.
  • Availability impact.
  • Known exploitation.
  • Ease of remediation.
  • Compensating controls.

Remediation Targets

Target remediation timelines should be risk based.

SeverityTarget
CriticalAs soon as practical, with emergency handling where needed
HighPrioritized remediation in the next planned release or sooner
MediumScheduled remediation based on risk and exposure
LowRemediate through routine maintenance

When remediation cannot be completed within target, CIC must document the reason, owner, compensating control, and revised date.

Dependency Management

CIC must monitor dependencies for known vulnerabilities.

Requirements:

  • Keep lockfiles current.
  • Review security advisories.
  • Test dependency updates before deployment.
  • Avoid unsupported runtime versions.
  • Prioritize dependencies affecting authentication, authorization, data processing, payments, financial APIs, file upload, and admin functionality.

Validation

Remediation must be validated through:

  • Re-scan.
  • Test evidence.
  • Code review.
  • Configuration review.
  • Penetration retest where applicable.
  • Deployment verification for production-impacting fixes.

Evidence

CIC should retain:

  • Vulnerability reports.
  • Dependency scan output.
  • Finding tracker.
  • Risk acceptance records.
  • Remediation PRs or tickets.
  • Validation evidence.
  • Exception approvals.

Metrics

CIC should monitor:

  • Open vulnerabilities by severity.
  • Aging critical and high vulnerabilities.
  • Remediation time.
  • Reopened findings.
  • Vulnerabilities by system owner.
  • Exceptions and accepted risks.

Review

This program must be reviewed at least annually and after material incidents or audit findings.