Document No.: VCSATSP Vulnerability and Penetration Testing Policy Revision: 7.0

Size: px

Start display at page:

Download "Document No.: VCSATSP 100-030 Vulnerability and Penetration Testing Policy Revision: 7.0"

Duane Hicks
8 years ago
Views:

1 DOCUMENT INFORMATION VCSATS Policy Number: VCSATSP Title: Policy Owner: Effective Date: 5/1/2013 Revision: 7.0 Vulnerability and Penetration Testing Policy Infrastructure Manager TABLE OF CONTENTS DOCUMENT INFORMATION... 1 TABLE OF CONTENTS PURPOSE SCOPE RESPONSIBILITIES REFERENCES DEFINITIONS POLICY Vulnerability Testing Penetration Testing ENFORCEMENT COMPLIANCE REFERENCE INDEX HISTORY... 5 Page 1 of 5

.. 1 TABLE OF CONTENTS... 1 1. PURPOSE... 2 2. SCOPE... 2 3. RESPONSIBILITIES... 2 4. REFERENCES... 2 5. DEFINITIONS... 3 6.

2 1. PURPOSE This policy defines the guidelines for conducting vulnerability testing and penetration testing of systems within the VCSA division 45 C.F.R (c)(1). 2. SCOPE This policy applies to Vice Chancellor Student Affairs Technology Services. 3. RESPONSIBILITIES TABLE 1 - ROLES AND RESPONSIBILITIES Role Responsibility Infrastructure Manager Oversee the performance of this process Ensure this document remains current and is updated whenever changes to the process occur Review and approve changes to this document Director Technology Services Review and approve changes to this document 4. REFERENCES TABLE 2 - REFERENCES Reference VCSATSP Policy Guidance Location VCSATS Policy Center Page 2 of 5

RESPONSIBILITIES TABLE 1 - ROLES AND RESPONSIBILITIES Role Responsibility Infrastructure Manager Oversee the performance of this process Ensure this document remains current and

3 5. DEFINITIONS The terms and definitions found in VCSATSP Policy Guidance, as referenced in section 4 references, shall apply, unless a term is expressly defined here. The scope of every term expressly defined in this section is limited to this document. TABLE 3 - LOCAL DEFINITIONS Term, Abbreviation, Acronym None Definition 6. POLICY Vulnerability testing and penetration testing is required for Restricted systems. Optionally, non-restricted systems may also apply these standards. 6.1 Vulnerability Testing VCSATS must conduct vulnerability testing on all public-facing systems and Restricted systems with testing of Restricted systems occurring on a regularly scheduled basis PCI DSS (a) External Vulnerability Testing (scans) of Restricted systems must be conducted on a regularly scheduled basis PCI DSS (a) Upon any configuration change to the system, an internal scan must be performed (a) Failed vulnerability scans must be addressed and followed by a retest, repeating these steps until the vulnerability testing completes successfully (b). PCI DSS PCI DSS (b), PCI DSS (b), PCI DSS Upon identification of new vulnerability issues, Firewall configuration standards shall be updated accordingly. 6.2 Penetration Testing External and internal penetration testing shall be performed at least once a year 11.3 (a) External and internal penetration testing shall be performed after any significant infrastructure or application changes PCI DSS 11.3 (a) Penetration testing shall minimally consist of network-layer and application-layer penetration tests PCI DSS , PCI DSS PCI DSS Page 3 of 5

POLICY Vulnerability testing and penetration testing is required for Restricted systems. Optionally, non-restricted systems may also apply these standards. 6.1

4 6.2.4 Exploitable vulnerabilities noted during penetration testing shall be corrected and an adequate retest performed to demonstrate that identified exploit is addressed (b) PCI DSS ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action. 8. COMPLIANCE REFERENCE INDEX 45 C.F.R (c)(1)... 2 PCI DSS (a)... 3 PCI DSS (b)... 3 PCI DSS (a)... 3 PCI DSS (b)... 3 PCI DSS (a)... 3 PCI DSS (b)... 3 PCI DSS 11.3 (a)... 3 PCI DSS 11.3 (b)... 4 PCI DSS PCI DSS Page 4 of 5

ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action. 8. COMPLIANCE REFERENCE INDEX 45 C.F.R. 164.

5 9. HISTORY Fogbugz Case Description of Changes 1513 Create initial version of this policy. 2352, 2353 Approval requested for version 1.0 of this policy. Approval was not received Updated diagram to version 1.0 which added a swimlane for Approved Scanning Vendor (ASV) 2382, 2383 Requested approvals for version 2.0 of this policy 3209 Updates made in support of UCOP for PnC Hosting project. 3626, 3627 Requested approvals for version 3.0 of this policy (Rejected) 3638 Corrected issues found during approval review. 3658, 3660 Requested approvals for version 4.0 of this policy (Rejected) 3713 Corrected issues found during approval review. 3746, 3747 Requested approvals for version 5.0 of this policy. 4910, 7439 Updated document number to match the approved naming convention. Changed references from critical and PCI to Restricted. Added section , 7635 Requested approvals for version 6.0 of this policy. 8466, 8660 Added HIPAA references, PCI DSS references, and support for penetration testing. 8902, 8903 Requested approval for version 7.0 of this policy. Page 5 of 5

0 of this policy 3209 Updates made in support of UCOP for PnC Hosting project. 3626, 3627 Requested approvals for version 3.

Document No.: VCSATSP 100-040 Restricted Data Encryption Policy Revision: 4.0. Restricted Data Encryption Policy

Document No.: VCSATSP 100-040 Restricted Data Encryption Policy Revision: 4.0. Restricted Data Encryption Policy DOCUMENT INFORMATION VCSATS Policy Number: VCSATSP 100-040 Title: Policy Owner: Restricted Data Encryption Policy Infrastructure Manager Effective Date: 4/22/2013 Revision: 4.0 TABLE OF CONTENTS DOCUMENT