Introduction:



Vulnerability Assessment and ManagementIntroduction:Vulnerability scanning is a tool to help American Consumer Credit Counseling (ACCC) to identify vulnerabilities on its networked computing devices.? The results of the vulnerability scans help inform management and computing device administrators of known and potential vulnerabilities on, so those vulnerabilities can be addressed and managed.? Vulnerability scanning can be used at a broader level to ensure that campus information security practices are working correctly and are effective.Scope:This policy applies to employees, contractors, vendors and agents with access to ACCC information systems. ?It also applies to remote access connections used to do work on behalf of ACCC.? This policy applies to all ACCC-owned devices connected to the network and may apply to personally-owned devices if used exclusively or extensively to conduct ACCC related business.Standard:Approved Scanning ToolWhile there are numerous, tools that can provide insight into the vulnerabilities on a system, not all scanning tools have the same set of features.? ACCC Information Technology (IT) Manager is responsible for approving and overseeing ACCC use of an enterprise scanning and assessment tool.? Use of any other vulnerability scanner must be justified in writing and approved by the IT Manager.Any approved scanning tool must be capable of scanning information systems from a central location and be able to provide remediation suggestions.? It must also be able to associate a severity value to each vulnerability discovered based on the relative impact of the vulnerability to the affected unit.Periodic Vulnerability Assessment – Existing DevicesACCC is required to conduct a vulnerability assessment of all their networked computing devices on a periodic basis.?At a minimum, IT shall run authenticated scans from the enterprise class scanning tool on a quarterly basis against all networked computing devices within their control.Monthly scans are required for the following networking computing devices:Any ACCC computing devices that are known to contain Personally Identifiable Information (PII)Any ACCC computing devices that must meet specific regulatory requirements, e.g., PCI, HIPPA, etc.All file-system images or virtual machine templates used as base images for building and deploying new workstations or serversAll devices that are used as servers or used for data storageAny network infrastructure equipmentThe approved enterprise vulnerability scanning tool must be used to conduct the scans unless otherwise authorized.Scans shall be performed during hours appropriate to the business needs of the entity and to minimize disruption to normal business functions.Data from scans are to be treated as Internal-Confidential.The assessment will scan networked computing devices from inside the perimeter of ACCC’s network.??Computing device or system administrators must not make any temporary changes to networked computing devices for the sole purpose of passing an assessment. ?Any attempts to tamper with results will be referred to management for potential disciplinary action.No devices connected to the network shall be specifically configured to block vulnerability scans from authorized scanning engines.Vulnerabilities on networked computing devices shall be mitigated and eliminated through proper analysis and repair methodologies.New Information System Vulnerability AssessmentNo new information system shall be considered in production until a vulnerability assessment has been conducted and vulnerabilities addressed. ?IT will conduct vulnerability assessments:at the completion of the operating system installation and patching phaseat the completion of the installation of any vendor provided or in-house developed applicationjust prior to moving the information system into productionat the completion of an image or template designed for deployment of multiple devicesfor vendor provided information systems, prior to user acceptance testing and again before moving into productionfor all new network infrastructure equipment, during the burn in phase and prior to moving to productionAt the completion of each of the above vulnerability assessments, all discovered vulnerabilities must be documented and remediated. IT must keep a record of all assessments and be able to produce copies if requested by management, or an external auditor.Limitation of ScanningIT shall not conduct intrusive scans of systems that are not under their direct authority:IT is responsible for ensuring that vendor owned equipment is free of vulnerabilities that can harm ACCC information systems. The vendor must be informed and permitted to have staff on hand at the time of scans.? If a vendor does not provide staff, scans must be conducted to determine the security status of vendor owned devices residing on ACCC’s network.Vendors are not permitted to conduct scans of ACCC information systems without the express permission of ACCC’s IT Manager.At no time shall a computing device/system administrator ever conduct a scan on the public network or Internet unless such activity is authorized based on a contractual relationship.? Authorization must be in writing and approved by the IT worked computing devices that appear to be causing disruptive behavior on the network may be scanned by Information Services using nonintrusive methods to investigate the source of the disruption.RemediationAt the end of each quarterly assessment, IT will maintain documentation showing:All discovered vulnerabilities, the severity, and the affected information system(s).For each discovered vulnerability, detailed information on how the vulnerability will be remedied or eliminated.The reports produced by the enterprise vulnerability scanning tool may be used as the above documentation.?As part of the annual information security self-assessment process, IT will be required to document vulnerability scanning and remediation efforts based on the above documentation.Discovered vulnerabilities will be remediated and/or mitigated based on the following rules:Critical, High and Medium vulnerabilities will be fully addressed within 30 calendar days of discovery.Low vulnerabilities will be addressed within 90 calendar days of discovery.Vulnerabilities are considered remediated when the risk of exploitation has been fully-removed and subsequent scans of the device show the vulnerability no longer exists.? Typically, this is accomplished by patching the operating system/software applications or by upgrading software.External AuditThe IT Manager reserves the right to independently audit each unit at will or at the request of management. These audits will review existing scanning data and verify that vulnerabilities were remediated. Any discrepancies will be noted and reported to the IT Manager senior management.Use of Outside ContractorsIT may use outside contractors to complete the required work; however, the contractors must use an enterprise-class assessment tool with the same capabilities as the approved tool.If contractors are engaged to conduct scans using the Approved Scanning Tool defined herein, approval must be obtained from the IT Manager.Definitions:Authenticated Scan - A type of scan that requires appropriate credentials to authenticate to a machine to determine the presence of vulnerability without having to attempt an intrusive scanInformation Systems - Software, hardware and interface components that work together to perform a set of business functionsInternal-Confidential - The requirement to maintain certain information accessible to only those authorized to access it and those with a need to know. ?For this purpose, those authorized would only be those within ACCC with a designated need to know.?Intrusive Scan - A type of scan that attempts to determine the presence of vulnerability by actively executing a known exploitNetworked Computing Device - Any computing device connected to the network that provides the means to access, process and store informationNetwork Infrastructure Equipment - Equipment which provides information transport, e.g., routers, switches, firewalls, bridging equipment etc.; does not include network servers and workstations unless such devices serve the specific function of providing transportSystem Administrator/Computing Device Administrator - The individual or individuals responsible for the overall implementation and maintenance of a networked computing deviceThreat - Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service, or something or someone that can intentionally or accidentally exploit a vulnerabilityVulnerability - A security exposure in an operating system or other system software or application software component, including but not limited to: missing Operating System and application Patches, inappropriately installed or active applications and services, software flaws and exploits, mis-configurations in systems, etc.Responsibilities:?Information Technology Management, including IT Manager and IT SupervisorsSupports and enforces this standard as indicated, approves and submits annual risk self-assessmentRequests internal audits, procures and/or assigns the resources necessary to implement the standardSupervises and coordinates vulnerability assessments and remediation processesDetermines who maintains documentationNotifies device users and supports staff involve in implementing the processesRequests exceptionsSystem Administrator/Computing Device AdministratorSupports and complies with this policy as indicatedImplements best practices to comply with assessment results or remediate vulnerabilitiesEnsures any computing devices in their area are being scanned according to this standardRemediates vulnerabilities within specified timeframes unless a written exception or extension has been requested and approvedActively monitors for available patches to remediate vulnerabilities for which an exception or extension has been grantedProduces required documentation using the enterprise scanning toolNotifies device users of scheduled scans and remediation tasks that may affect the user or require additional work from the userEscalates to managementInformation Technology ManagerApproves and oversees ACCC use of an enterprise class vulnerability scanner to conduct scansReviews and approves use of alternate scanning tools as neededConducts annual compliance reviews and risk assessmentsAdvises on ACCC vulnerability assessment and remediation processesMay audit and monitor scanning activity to verify complianceNotifies senior management of non-complianceIn consultation with a Managed IT Service Provider, the IT Manager can approve or deny requests for exceptionsAuthorizes removal of devices from the networkNon-Compliance and Exceptions:Any departments needing an exception to this policy must be approved by the IT Manager. Examples of possible exceptions include but are not limited to:If a critical vulnerability cannot be remediated but there are compensating controls in place that reduce or eliminate the riskIf a critical vulnerability cannot be remediated or controlled, e.g. no patch is currently available, or the remediation could affect service availability or service contracts, etc.If a device should not or cannot be scanned at the frequency required by this standardOnce an exception is granted, if a method to eliminate or to reduce the vulnerability becomes available, the vulnerability must be remediated from that point based on the standard.A device is non-compliant if one of the following cases is true:A critical vulnerability on a computing device is not addressed?or has not been remediated in a timely manner as defined in the standardA computing device is not being scanned in accordance with the frequency defined hereinIf a device is found to be non-compliant and the problem is not resolved in the timeframe determined in consultation with the IT Manager, the device may be removed from the ACCC network. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download