LinkedIn Post 10: Vulnerability Severity Framework

When a vulnerability is discovered in a building device, what's your response timeline?

Days? Weeks? "When we get around to it"?

Establish severity levels and response targets:

Critical (remote code execution): Patch within 2 weeks

High (unauthorized access): Patch within 4 weeks

Medium (partial access): Patch within 8 weeks

Low (theoretical/low-impact): Patch within 6 months

Make these targets clear to vendors, contractors, and building ownership. Track compliance.

This demonstrates to regulators that you have a systematic approach to vulnerability management, not an ad-hoc response process.

A documented SLA for patches is evidence of security governance.

#PSTI #VulnerabilityManagement #SLA