Standard: Vulnerability Management and Assessment



Similar documents
Standard: Information Security Awareness Training

The Importance of Organizing Your SJSU Information Assets

Standard: Patching and Malicious Code Management

Standard: Application Service Provider Security Requirements

Standard: Network Security

Standard: Information Security Incident Management

Standard: Web Application Development

Standard: Retention

Standard: and Campus Communication

Information Technology Security Review April 16, 2012

Standard: Event Monitoring

Ctfo MANAGEMENT SECURITY PATCH. Felicia M. Nicastro. Second Edition. CRC Press. VC#*' J Taylor & Francis Group / Boca Raton London New York

Four Top Emagined Security Services

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

Vulnerability management lifecycle: defining vulnerability management

Taking a Proactive Approach to Patch Management. B e s t P r a c t i c e s G u i d e

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Standard: Data Center Security

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

The Protection Mission a constant endeavor

White Paper The Dynamic Nature of Virtualization Security

How To Use A Policy Auditor (Macafee) To Check For Security Issues

Information Technology General Controls And Best Practices

Retention & Destruction

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Software Vulnerability Assessment

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Remediating IT vulnerabilities: Expert tips

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

PCI Vulnerability Validation Report

Security Standard: Servers, Server-based Applications and Databases

Complete Patch Management

SECURITY RISK MANAGEMENT. FIRST 2007 Seville, Spain

How To Test For Security On A Network Without Being Hacked

UMHLABUYALINGANA MUNICIPALITY ANTIVIRUS MANAGEMENT POLICY

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Secunia Vulnerability Intelligence Manager

CSUSB Vulnerability Management Standard CSUSB, Information Security & Emerging Technologies Office

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

How To Monitor Your Entire It Environment

Network Security and Vulnerability Assessment Solutions

Information Security Policy

Sample Vulnerability Management Policy

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Patch and Vulnerability Management Program

SJSU Electronic Data Disposition Standard

Avoiding the Top 5 Vulnerability Management Mistakes

Security-as-a-Service (Sec-aaS) Framework. Service Introduction

PCI Compliance Considerations

Total Protection for Compliance: Unified IT Policy Auditing

Complete Patch Management

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Closing the Vulnerability Gap of Third- Party Patching

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

AHS Flaw Remediation Standard

THE SECURITY EXPOSURE

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

SANS Top 20 Critical Controls for Effective Cyber Defense

IBM Security QRadar Vulnerability Manager Version User Guide IBM

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

IBM Managed Security Services Vulnerability Scanning:

Safeguarding Company IT Assets through Vulnerability Management

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

How To Get The Nist Report And Other Products For Free

UC Merced CyberRisk Update

ISAAC Risk Assessment Training

IT Security Standard: Computing Devices

INFORMATION SECURITY California Maritime Academy

Payment Card Industry Data Security Standard

THE TOP 4 CONTROLS.

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Server Security Checklist (2009 Standard)

Cisco Security Optimization Service

ISS X-Force. IBM Global Services. Angel NIKOLOV Country Manager BG, CZ, HU, RO and SK IBM Internet Security Systems

Strategic Plan On-Demand Services April 2, 2015

Information Security Office

MANAGED SERVICES ON DEMAND SERVICES BACKUP AND DISASTER RECOVERY CLOUD SERVICES HARDWARE AS A SERVICE. Exceed Best

Critical Security Controls

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Intelligent Vulnerability Management The Art of Prioritizing Remediation. Phone Conference

Guideline on Vulnerability and Patch Management

BUILDING AN EFFECTIVE VULNERABILITY MANAGEMENT PROGRAM. Henrik Åkerstrand Account Executive Nordics

eeye Digital Security Product Training

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Vulnerability Control Product Tour

Extreme Networks Security Analytics G2 Vulnerability Manager

Best Practices for Vulnerability Management

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Overview TECHIS Carry out security testing activities

Hope is not a strategy. Jérôme Bei

Continuous Network Monitoring

Symantec Control Compliance Suite Standards Manager

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Protecting your business interests through intelligent IT security services, consultancy and training

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Transcription:

Standard: Vulnerability Management and Assessment Page 1

Executive Summary San Jose State University (SJSU) is highly diversified in the information that it collects and maintains on its community members. It is the university s responsibility to be a good steward and custodian of the information that it has been entrusted, which must be upheld by all members of the university. Per CSU Information Security Policy 8045.0 Section 500, San Jose State University (SJSU) is required to implement appropriate controls to monitor and scan network resources and information systems to identify and remediate vulnerabilities on networked computers. Proactively managing vulnerabilities can provide vital information to management and computer administrators of known and potential vulnerabilities for our organization to mitigate the vulnerabilities and improve SJSU s security risk posture. As a result, it could save the organization resources and time otherwise needed to respond to incidents after exploitation has occurred. Vulnerability Management and Assessment standard defines the requirements for vulnerability management and assessment for all SJSU computer and communication system information, with the goal of safeguarding the confidentiality, integrity, and availability of information stored, processed and transmitted by SJSU. Page 2

Information Security Standards Vulnerability Management and Assessment Standard IS-VMA Effective Date 11/10/2015 Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Revision History Date Action 5/26/2014 Draft sent to Mike 12/1/2014 Reviewed. Content suggestions. Added comments. Hien Huynh 11/10/2015 Incorporated changes from campus constituents Distributed to Campus. Page 3

Table of Contents Executive Summary... 2 Introduction and Purpose... 5 Scope... 5 Standard... 5 Management of Technical Vulnerabilities... 5 Patching Application... 5 Antivirus Application... 5 Vulnerability Advisories and Intelligence Feeds... 5 Periodic Vulnerability Scanning of Internal Network... 5 Vulnerability Scanning of Internet Exposed Network... 5 Security Advisory Patch Management... 6 On-Going Third Party Security Configuration Scanning... 6 Vulnerability Scanner supporting CVE and SCAP... 6 Authenticated/Unauthenticated User Vulnerability Scanning... 6 References... 6 Page 4

Introduction and Purpose This standard defines the requirements for vulnerability management and assessment for all San Jose State University (SJSU) computer and communication system information, with the goal of safeguarding the confidentiality, integrity, and availability of information stored, processed, and transmitted by SJSU. Scope This standard applies to all SJSU State, Self-Fund, and Auxiliary ( campus ) computer systems and facilities, with a target audience of SJSU Information Technology employees and partners. Standard Management of Technical Vulnerabilities Technical vulnerability management should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. Timely information about technical vulnerabilities of information systems being used should be obtained, the campus's exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. Patching Application All systems must use an approved patching application. Required patches for servers and endpoints must be installed at minimum every 30 days. Antivirus Application All desktops, laptops and servers must utilize an approved antivirus/antimalware application. This includes all Operating Systems including but not limited to Windows, OSX and Linux any exceptions must be documented and approved by the Information Security Office. Vulnerability Advisories and Intelligence Feeds On at least a weekly basis, systems administration staff must review all information security vulnerability advisories issued by trusted organizations for issues affecting campus systems. Administrators will subscribe to vulnerability intelligence services in order to stay aware of emerging exposures, and use the information gained from this subscription to update the organization's vulnerability scanning activities on at least a monthly basis. Periodic Vulnerability Scanning of Internal Network Each campus IT department must run and approved automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk. Vulnerability Scanning of Internet Exposed Network To ensure that SJSU technical staff has taken appropriate preventive measures, all systems directly-connected to the Internet must be subjected to an automated risk analysis performed via approved vulnerability scanning software at least once a month. Page 5

Security Advisory Patch Management All security advisory patches for known vulnerabilities issued by a vendor must be promptly tested and installed within the time frame required by the Information Security Office. On-Going Third Party Security Configuration Scanning All SJSU computers accessible from the Internet, as well as all internal production computers, must be regularly scanned by a reputable third party security vulnerability scanning service. Vulnerability Scanner supporting CVE and SCAP The vulnerability scanner used by SJSU will support the identification of vulnerabilities based on CVE ID as well as SCAP configuration based vulnerabilities, where applicable. Authenticated/Unauthenticated User Vulnerability Scanning Vulnerability scanning should run in authenticated user mode, where possible, with agents running locally on each end system to analyze the security configuration or with remote vulnerability scanners that are given administrative rights on the systems tested. A dedicated account for authenticated vulnerability scans should be used, with the account limited and used only for vulnerability testing. References CSU Information Security Policy -8045.0 Information Security Policy-Section 500 Information Asset Monitoring. Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information