Vulnerability Management Procedure
This procedure defines how LEF tracks, prioritizes, and remediates vulnerabilities.
| Owner | Information Security Officer |
| Contact | infra@lef.tec.br |
| Version | 1.1 |
| Last updated | 2025-03-26 |
| Review cadence | Annual (or after major changes) |
If you discover a vulnerability
Section titled “If you discover a vulnerability”- Report it to infra@lef.tec.br with the affected system, evidence, and impact.
- Don’t exploit it further or share details broadly; limit discussion to the people who need to act.
- If it affects a client environment, notify the project lead and coordinate the response.
1. Purpose
Section titled “1. Purpose”Ensure that LEF has a consistent and pragmatic process for identifying and assessing vulnerabilities in its critical systems and IT infrastructure, with remediation based on risk and project relevance.
2. Scope
Section titled “2. Scope”Applies to all systems, applications, and services managed by LEF that support internal operations and project delivery.
3. Core Practices
Section titled “3. Core Practices”- Systems are updated frequently as part of standard IT operations.
- Access to internal infrastructure is restricted through VPN with MFA.
- Project-specific infrastructure is reviewed during planning and maintained throughout its lifecycle.
4. Identification of Vulnerabilities
Section titled “4. Identification of Vulnerabilities”- LEF relies on trusted IT partners (e.g., Microsoft, EVEO, Red Hat) for vulnerability tracking and security advisory updates.
- Formal vulnerability remediation is initiated only when a risk is communicated via a project, client, or advisory process.
- Informal threat intelligence may be gathered through community channels but does not initiate automatic remediation.
5. Remediation Process
Section titled “5. Remediation Process”- When relevant, patches are applied after validation for system compatibility.
- In project-specific environments, updates are addressed based on scope and client expectations.
- Critical vulnerabilities are escalated to the Information Security Officer for decision-making on containment or access limitation.
6. Tools and Techniques
Section titled “6. Tools and Techniques”- Updates are performed using native OS and application update managers.
- Remote infrastructure is accessed and secured via VPN with MFA and, where supported, OIDC.
7. Data Loss Prevention (DLP) and Information Leakage Control
Section titled “7. Data Loss Prevention (DLP) and Information Leakage Control”- LEF relies on Microsoft 365 and its built-in security features to help prevent unauthorized sharing of data.
- Files are stored in Microsoft 365 and EVEO private cloud environments, both of which are access-controlled.
- Data is transmitted securely using TLS/HTTPS protocols.
- Access to project documents is granted only to authorized personnel via role or project assignment.
- Credentials are revoked promptly upon offboarding or project completion.
- VPN with MFA and platform-based protections reduce the risk of accidental or intentional data exposure.
8. Roles and Responsibilities
Section titled “8. Roles and Responsibilities”- Information Security Officer: Coordinates response when a vulnerability is deemed relevant and oversees DLP practices.
- IT/Infra: Maintains update schedules, system maintenance, and ensures technical controls for data protection.
- Project Leads: Flag security-related issues within project environments and ensure secure handling of project data.
9. Review and Documentation
Section titled “9. Review and Documentation”- Practices are reviewed periodically or following notable advisories.
- Remediation actions, when taken, are documented and shared with relevant stakeholders.
10. Contact
Section titled “10. Contact”For security concerns or questions about system vulnerabilities or data protection: infra@lef.tec.br
Records / evidence
Section titled “Records / evidence”- Vulnerability intake (reports/advisories):
- Triage decisions and remediation actions:
- Risk acceptance / deferrals: