1. Policy Statement

Objective 1 Ltd is committed to protecting its information assets and technology infrastructure from threats and vulnerabilities that could compromise the confidentiality, integrity, or availability of data. The purpose of this Vulnerability Management Policy is to establish a systematic and consistent approach to identifying, assessing, remediating, and monitoring vulnerabilities within our systems and networks.

2. Scope

This policy applies to all technology systems, networks, and applications owned, operated, or managed by Objective 1 Ltd, including third-party services integrated into our environment. All employees, contractors, and third-party vendors with access to Objective 1 Ltd's technology resources are also subject to this policy.

3. Roles and Responsibilities

• Information Security Team: Responsible for overseeing the Vulnerability Management Program, including vulnerability scanning, risk assessment, and coordination of remediation efforts.
• IT Department: Responsible for implementing remediation actions, patch management, and maintaining system configurations.
• Department Heads: Responsible for ensuring their teams comply with this policy and assisting in the remediation process as required.
• Employees and Contractors: Responsible for adhering to this policy and reporting any vulnerabilities or security incidents.

4. Identification of Vulnerabilities

Regular vulnerability scans will be conducted on all in-scope systems and applications using approved scanning tools. Penetration tests will be performed annually and/or after significant changes to the infrastructure or applications. All identified vulnerabilities will be documented and tracked until remediation.

5. Vulnerability Assessment and Prioritization

Vulnerabilities will be assessed based on the potential impact and likelihood of exploitation. Vulnerabilities will be prioritized for remediation based on their assessed risk, with high-risk vulnerabilities addressed as a priority.

6. Remediation

A plan for remediation of identified vulnerabilities will be developed, detailing the required actions, responsible parties, and timelines. Where immediate remediation is not possible, temporary mitigating controls will be implemented to reduce risk. All remediation efforts will be documented, including details of the vulnerability, remediation actions, and verification of mitigation.

7. Compliance

Compliance with this policy is mandatory. Any exceptions must be approved by the Information Security Team. Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contracts.

8. Policy Review and Update

This policy will be reviewed annually and updated as necessary to reflect changes in technology, threats, and business operations. Feedback from stakeholders will be considered as part of the review process.

9. Communication

This policy will be communicated to all relevant stakeholders. Training and awareness programs will be developed to ensure understanding and compliance with this policy.

10. Approval and Implementation

This policy is approved by Andrew Booth and is effective as of 16th March 2024. All departments and individuals subject to this policy are responsible for its implementation and compliance.