Virtus Group - Vulnerability Management Procedure
v1.2 FINAL • Standardised 2025-09-04
Owner: Virtus Group Ltd • Audience: Clients, Reviewers & Operations • Classification: Public • Next Review: 2026-09-04
Executive Summary
This document describes Virtus Group’s standard for this area and how it is applied in practice. It is derived from our internal policies and standards and is intended for both reviewers and operations.
Scope & Assumptions
- In scope: systems and processes directly managed by Virtus Group per contract.
- Out of scope: client-owned or third‑party systems not onboarded to our managed service.
- Dependencies: connectivity, power, and named client contacts for decision making.
Requirements (Key Controls)
- Cybersecurity operations must address the following domains: (VGL.Cybersecurity.Operations.Standard.docx)
- Configuration Management – Apply secure baselines, monitor for deviations, and enforce hardening standards. (VGL.Cybersecurity.Operations.Standard.docx)
- This standard must be reviewed every 2 years or following major incidents or regulatory changes. (VGL.Cybersecurity.Operations.Standard.docx)
- All incidents and audits must include a post-mortem or lessons learned exercise, feeding into continual improvement. (VGL.Cybersecurity.Operations.Standard.docx)
- This document will be reviewed at least once every two years, or whenever a major update is required, whichever happens first. (VGL.Cybersecurity.Operations.Standard.docx)
- Incident response procedures must be followed in case of breach (VGL.Cybersecurity.Policy.docx)
- All suspected incidents must be reported immediately to the employee’s People Leader, HR Manager, or Head of Security & Compliance.Contact: hr@virtusgroup.biz | compliance@virtusgroup.biz | hello@virtusgroup.biz | 0800 847 887 (VIRTUS). (VGL.Drug.and.Alcohol.Policy.docx)
- Director – Provides governance and strategic oversight of health and safety.Board – Ensures resources are allocated and fosters a strong health and safety culture.Head of Security & Compliance – Owns this policy, ensures compliance with legal and ISO/NZ requirements.Health and Safety Officer – Develops, maintains, and monitors the health and safety management system, conducts risk assessments, coordinates training, investigates incidents, and reports to leadership.Senior Leadership Team – Integrates health and safety into planning and decision-making, promotes awareness, and monitors performance.Team Leaders – Ensure compliance in teams, conduct safety checks, investigate incidents, and promote reporting of hazards.All Staff Members – Follow health and safety requirements, participate in training, report hazards and incidents, and take reasonable care of themselves and others.Visitors – Must comply with Virtus Group’s health and safety policies while on site and report concerns to their company contact or Health and Safety Officer. (VGL.Health.And.Safety.Policy.docx)
- All incidents, injuries, and near-misses must be reported promptly. (VGL.Health.And.Safety.Policy.docx)
- Director – Provides governance and strategic oversight of health and safety.Board – Ensures resources are allocated and fosters a strong health and safety culture.Head of Security & Compliance – Owns this policy, ensures compliance with legal and ISO/NZ requirements.Health and Safety Officer – Develops, maintains, and monitors the health and safety management system, conducts risk assessments, coordinates training, investigates incidents, and reports to leadership.Senior Leadership Team – Integrates health and safety into planning and decision-making, promotes awareness, and monitors performance.Team Leaders – Ensure compliance in teams, conduct safety checks, investigate incidents, and promote reporting of hazards.All Staff Members – Follow health and safety requirements, participate in training, report hazards and incidents, and take reasonable care of themselves and others.Visitors – Must comply with Virtus Group’s health and safety policies while on site and report concerns to their company contact or Health and Safety Officer. (VGL.Health.And.Safety.Policy_v2_Document_Hierarchy.docx)
- All incidents, injuries, and near-misses must be reported promptly. (VGL.Health.And.Safety.Policy_v2_Document_Hierarchy.docx)
- Security incidents must be reported immediately. (VGL.Information.Security.Policy.docx)
- Incident response plans must be maintained and tested. (VGL.Information.Security.Policy.docx)
- Vulnerability scans must be conducted quarterly (VGL.Cybersecurity.Policy.docx)
- Penetration testing, vulnerability scanning, and IDS/IPS validation are required. (VGL.Information.Security.Assurance.Procedure.docx)
- Vulnerability management processes must ensure timely patching. (VGL.Information.Security.Policy.docx)
- Automated vulnerability scanning and static/dynamic code analysis required (VGL.System.Acquisition.and.Development.Standard.docx)
- Security patches must be applied within 14 days for high-risk vulnerabilities, 30 days for medium-risk (VGL.Cybersecurity.Policy.docx)
Procedures / Playbooks
| Severity | Target Remediation SLA |
|---|---|
| Critical | ≤ 7 days |
| High | ≤ 14 days |
| Medium | ≤ 30 days |
| Low | ≤ 90 days |
Baseline Targets
| Severity | Remediation SLA | Notes |
|---|---|---|
| Critical | ≤ 7 days (≤ 72h if internet‑facing) | Expedite with emergency change if needed |
| High | ≤ 14 days | |
| Medium | ≤ 30 days | |
| Low | ≤ 90 days |
- Scanning: external perimeter weekly (or continuous); internal authenticated monthly; ad‑hoc after major changes
- Exceptions: time‑boxed risk acceptance with expiry ≤ 30 days and compensating controls
KPIs & Reporting
- Critical ≤ 7d, High ≤ 14d, Medium ≤ 30d, Low ≤ 90d
- Scan coverage ≥ 95% of fleet
Evidence & Records
Records are maintained per the VGL Document & Record Control guidelines, including logs, approvals, test outputs, meeting minutes, and reports.
© Virtus Group Ltd — Final version.