Need help organizing your Coordinated Vulnerability Disclosure (CVD) policy?
Cyber threats arise from vulnerabilities in the ICT infrastructure, applications and/or in the organization of business activities. They can undermine the effective protection of company activities and of company and personal data. Ultimately, these vulnerabilities can threaten the continuity of business operations and even shut down a company. The causes of the vulnerabilities can lie in, for example, the complexity of the digital systems, the lack of “security by design”, incorrect implementation and/or insufficient testing. The causes may also lie with chain partners who supply products, applications and services to the company.
Sharing research results
A vulnerability can be noticed by an unknown researcher. If this researcher is in good faith, he will be happy to share the research results with the company. It is important to handle the researcher/reporter and the report correctly to prevent the information from falling into unwanted hands before the company can resolve the vulnerability.
With a Coordinated Vulnerability Disclosure (CVD) policy, a company can arrange that vulnerabilities identified outside the company are handled in a controlled manner (under your direction). The policy sets out frameworks for documenting and analyzing these vulnerabilities and quickly resolving them by taking appropriate measures.
As a result, the consequences for business operations are limited. On the website, the company states in a CVD Policy how vulnerabilities can be reported and under what conditions.
Embedding in your own organization
Before a company can go public with a CVD Statement, CVD must first be set up in its own organization. After all, promising a researcher to work according to agreements and then not fulfilling them can have the opposite effect, causing the researcher to take other paths to exploit the vulnerability.
What is our approach?
A company has to make choices about how it wants to organize CVD. If there is little knowledge and/or capacity available, it can be decided to outsource the process. You can also opt for partial outsourcing and supplementing your own knowledge through training.
Support
We can support you with:
- Supporting the preparation of a business case to explore possibilities and make informed decisions;
- Drawing up an internal CVD policy and an external CVD policy;
- Developing roles, tasks and powers;
- Drawing up a procedure to handle a report properly and in a timely manner, including documentation and reporting;
- Making agreements with experts to be available on demand when dealing with a vulnerability such as technical IT knowledge and legal knowledge;
- Training employees to perform roles; and
- Maintaining contact with the reporter.
Recognizing vulnerabilities
Most companies use cloud service providers to support business processes with IT products and services that effectively organize business operations. Most cloud services, the company offers a range of professional controls targeting, for example, the NIST CyberSecurity Framework Core, April, 2018.
MYOBI Trust Network adds to this NIST framework the management of vulnerabilities in company IT products and services that have been identified by researchers; a Coordinated Vulnerability Disclosure.
Trust network helps users
Most companies use cloud service providers to support business processes with IT products and services that effectively organize business operations. Most cloud services, the company offers a range of professional controls targeting, for example, the NIST CyberSecurity Framework Core, April, 2018.
MYOBI Trust Network adds to this NIST framework the management of vulnerabilities in company IT products and services identified by researchers; a Coordinated Vulnerability Disclosure.
Do you have any questions or would you like to make an appointment?
Do you have questions about organizing, implementing or expanding your accountability? Our service owner, André Biesheuvel or one of his colleagues, will be happy to discuss your specific case.
