Printed from CheckTick DSPT Compliance Documentation
Vulnerability Management Policy: CheckTick
Version: 1.1 Last Reviewed by SIRO: 02/01/2026 Approval Status: Approved
1. Purpose
This policy outlines how CheckTick identifies, assesses, and remediates security vulnerabilities within our software stack and infrastructure to protect health and care data.
2. Software Stack Monitoring
CheckTick utilizes a modern Python/Django stack. We monitor for vulnerabilities at three levels:
- Application Code: Static Analysis (CodeQL), manual code reviews, and automated linting.
- Dependencies: Continuous monitoring of Python packages (PyPI) and JavaScript libraries.
- Infrastructure: Monitoring of Northflank container images and Ubuntu base OS layers.
3. Automated Detection & Intelligence
We utilize a multi-feed monitoring strategy to ensure 360-degree visibility:
- GitHub Dependabot: 24/7 monitoring of repository dependencies.
- pip-audit: Integrated into CI/CD for daily deep-scans of the Python environment.
- GitGuardian (ggshield): Real-time detection of hardcoded secrets or credentials.
- NCSC Early Warning Service: National-level intelligence on infrastructure and IP-based threats (UK Sovereign feed).
- Alerting: Security alerts are delivered immediately to the CTO and SIRO via secure channels.
4. Remediation Timelines
| Severity | Definition | Target Remediation |
|---|---|---|
| Critical | Immediate risk of data breach. | Within 48 hours |
| High | Significant risk to data integrity. | Within 14 days |
| Medium/Low | Minimal impact/risk. | Within 30 days / Next release |
Note: If a vendor patch is unavailable for a Critical vulnerability, CheckTick will implement mitigating controls (e.g., Northflank Network Isolation or service suspension) within the 48-hour window.
5. Patch Management Process
- Identification: Alert received via automated feeds (GitHub/NCSC/Audit).
- Assessment: The CTO assesses the "reachability" of the vulnerability in the CheckTick environment.
- Testing: Patches are applied in a staging environment and verified against the automated test suite.
- Deployment: Successful patches are deployed to production via our automated Northflank pipeline.
- Verification: Production logs and
pip-auditlogs are checked to confirm the fix is active.
6. Zero-Day Vulnerabilities
In the event of a high-profile "Zero-Day," the CTO will initiate an emergency review of all infrastructure components within 24 hours. Emergency remediations are documented in the Vulnerability & Patch Log and reviewed by the SIRO.
7. Unsupported Software & Technical Debt
- No EOL Software: CheckTick does not use any software, OS, or libraries that are no longer supported.
- Sovereign Compliance: We prioritize UK-resident base images (Ubuntu 22.04 LTS) and maintain 100% estate support as evidenced in our Asset Register.
- Deprecation Monitoring: The CTO reviews the stack quarterly. Any component nearing 'End of Life' is scheduled for upgrade at least 3 months in advance.
Approved By: [DPO Name] Date: 02/01/2026