Internal Documentation

Vulnerability Management Policy

Please direct questions and comments to the #tech_security channel in Slack.

POLICY STATEMENT

This policy represents Cadence OneFive’s practices and procedures for managing technical vulnerabilities and our efforts to mitigate associated risks.

The purpose of this policy is to establish binding and practical rules for the review, evaluation, application, and verification of all software development activities to create valuable products while mitigating vulnerabilities in the IT environment and the risks associated with them.

PROCEDURES

ENDPOINT PROTECTIONS (ANTIVIRUS AND MALWARE)

All public facing Cadence OneFive-owned or managed information resources must use only Cadence OneFive-approved endpoint protection software and configuration.

All non-Cadence OneFive-owned resources with access to the Cadence OneFive cloud must use software and configurations that comply in all material terms with this requirement as well, with exceptions only to be approved by Cadence OneFive. Endpoint protection software must not be altered, bypassed, or deleted.

Interaction with websites across the Internet and use of external storage media present risks of viruses or malware. Cadence OneFive implements controls to prevent or detect the use of known or suspected malicious websites. All files received over networks from any external storage device must be scanned for viruses/malware before use. Any determination that a virus or malware has entered Cadence OneFive resources constitutes a security incident and must be reported immediately to Cadence OneFive management.

LOGGING AND ALERTING

Documented baseline configurations for all Cadence OneFive resources must include log settings to record actions or events that may affect or be relevant to information security. Event logs are to be maintained in a central log management solution that protects the logs from tampering or unauthorized access. Cadence OneFive management will conduct period reviews of log files, and all exceptions and anomalies identified during those reviews will be documented and reviewed by management. Log files will be maintained for 90 days.

All servers and network equipment must retrieve time information from a single reference time source on a regular basis to ensure that log timestamps are consistent.

PATCH MANAGEMENT

Cadence OneFive’s IT team maintains overall responsibility for patch management implementation, operations, and procedures. All Cadence OneFive resources will be scanned or a regular basis to identify missing updates, if any. Cadence OneFive IT management will review the security implications of any missing updates and implement updates in a timely manner in accordance with the level of risk presented by the missing updates.

Software updates and configuration changes must be tested prior to deployment, and verification of successful deployment will be conducted with a reasonable period of time post-deployment. Cadence OneFive IT management will maintain records of all such deployments.

VULNERABILITY SCANNING AND PENETRATION TESTING

Cadence OneFive IT management will conduct internal and external network vulnerability scans on at least a quarterly basis, and after any significant change to the network or Cadence OneFive systems. Failed vulnerability scan results rated as critical risk or high risk will be remediated immediately and rescanned until all critical or high risks are resolved. Evidence of an actually compromised Cadence OneFive resource discovered during vulnerability scanning must be reported to Cadence OneFive IT management immediately.

Penetration testing of the internal network, external network, and hosted applications must be conducted at least annually. Any exploitable vulnerability found during a penetration test will be corrected and retested to verify resolution of the vulnerability.

WAIVERS AND ENFORCEMENT

Cadence OneFive employees may seek waivers or adjustments to these procedures. Any such waivers will be limited in time and scope and appropriately documented.

Any employee, vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including termination of access rights, contracts, or employment, and related civil or criminal penalties.

Visibility

This document is confidential and is a proprietary work product of Cadence OneFive. The information contained herein may not be copied or distributed without the specific written consent of Cadence OneFive.