Vulnerability Management Policy



Similar documents
State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

STATE OF NEW JERSEY IT CIRCULAR

Software Vulnerability Assessment

Manage Vulnerabilities (VULN) Capability Data Sheet

Qualys Scanning for PCI Devices University of Minnesota

How To Use Qqsguard At The University Of Minneapolis

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

How To Monitor Your Entire It Environment

Vulnerability Management

AHS Vulnerability Scanning Standard

Office of Inspector General

Information Technology Security Review April 16, 2012

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Final Audit Report -- CAUTION --

Minimizing Risk Through Vulnerability Management. Presentation for Rochester Security Summit 2015 Security Governance Track October 7, 2015

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

How To Test For Security On A Network Without Being Hacked

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

CDM Vulnerability Management (VUL) Capability

Sample Vulnerability Management Policy

How To Improve Nasa'S Security

Information Technology General Controls And Best Practices

NOTICE: This publication is available at:

Managed Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

1 Scope of Assessment

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

The Value of Vulnerability Management*

How To Manage Security On A Networked Computer System

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Information Security Office

Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

How to Get from Scans to a Vulnerability Management Program

Vulnerability management lifecycle: defining vulnerability management

Patch and Vulnerability Management Program

ESKISP Manage security testing

FY 2016 Inspector General Federal Information Security Modernization Act of 2014 Reporting Metrics V1.0

AUDIT OF NASA S EFFORTS TO CONTINUOUSLY MONITOR CRITICAL INFORMATION TECHNOLOGY SECURITY CONTROLS

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Following is a discussion of the Hub s role within the health insurance exchanges, the results of our review, and concluding observations.

Christine M. Frye, CIPP/US, CIPM, Chief Privacy Officer, Bank of America

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Information Security Services

Project Monitoring and Control

Intel Security Certified Product Specialist Security Information Event Management (SIEM)

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Attachment A. Identification of Risks/Cybersecurity Governance

Checklist for Vulnerability Assessment

AVOIDING PATCH DOOMSDAY Best Practices for Performing Patch Management

CMS Policy for Configuration Management

Vulnerability Management Nirvana: A Study in Predicting Exploitability

Test du CISM. Attention, les questions, comme l'examen, ne sont disponibles qu'en anglais.

How To Use A Policy Auditor (Macafee) To Check For Security Issues

Assessment and Authorization

Optimizing Network Vulnerability

AHS Flaw Remediation Standard

SANS Top 20 Critical Controls for Effective Cyber Defense

Four Top Emagined Security Services

DIVISION OF INFORMATION SECURITY (DIS)

White Paper The Dynamic Nature of Virtualization Security

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Best Practices for Vulnerability Management

Reducing Application Vulnerabilities by Security Engineering

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

PCI Vulnerability Validation Report

Introduction to OVAL: A new language to determine the presence of software vulnerabilities

Issue Date: March 4, Proposal Due Date: Tuesday, March 18, 2014 by 11:00 AM Mountain Time to:

NERC CIP VERSION 5 COMPLIANCE

Transcription:

April 13th, 2015 1.0 SUMMARY Vulnerability management is the processes and technologies that an organization utilizes to identify, assess, and remediate information technology (IT) vulnerabilities, weaknesses, or exposures in IT resources or processes that may lead to a security or business risk. This policy identifies the University of Maryland Center for Environmental Science s vulnerability management practice which includes the roles and responsibility of personnel, the vulnerability management process and procedures followed, and the risk assessment and prioritization of vulnerabilities. 2.0 ROLES AND RESPONSIBILITY The CIO of UMCES is responsible for IT vulnerability management. The following are the key roles and their responsibilities: Network / Server Analyst Role - Maintain inventory of IT assets. Identifies vulnerabilities via vulnerability scanning, patch releases, configuration review, and compliances. Performs remediation of vulnerabilities as directed. IT Director Role - Determines remediation of vulnerabilities and delegates corrective action. Report any unresolvable vulnerability to CIO. Chief Information Officer (CIO) Role - Approves any risk acceptance, emergency CMRs, and final report of quarterly scans. 3.0 INDIVIDUAL LOCATION ROLES AND RESPONSIBILITIES Horn Point Laboratory / Central Administration Jason Beveridge CIO Role (UMCES):

Institute of Marine and Environmental Technology Jason Beveridge Maryland Sea Grant Chesapeake Biological Laboratory Appalachian Laboratory Dan Jacobs Dan Jacobs Larry Lentner Michael Santangelo Eric Farris Eric Farris 4.0 FLOWCHART OF ROLES AND RESPONSIBILITIES Network / Server Analyst Role Maintain inventory of IT assets Identify vulnerability Remediate vulnerability as directed IT Director Role Determine appropriate remediation measures Delegate action of remediation Submit unresolvable vulnerability to CIO (UMCES) Submit quarterly scan to CIO (UMCES) for review and submission CIO Role Approve risk acceptance Coordinate and submit quarterly scans of each location

5.0 VULNERABILITY MANAGEMENT PROCESS AND PROCEDURES IT goes through a continuous cycle of scanning and remediating vulnerabilities through a series of quarterly system and network scans, configuration templates and checklists, and adhering to best practice when implementing new business solutions. Scheduled scans align with the University Systems of Maryland (USM) quarterly vulnerability requirements. Targeted system scans are adhoc or based on project requirements and timing. Procedures associated with the vulnerability management process include: Scan business functioning IT subnets for vulnerabilities Networks in which systems that are vital to the business (i.e., critical systems) at UMCES are scanned. The whole subnet is scanned against a single baseline vulnerability policy. Validate findings from scan and assess risk to IT environment Once scanning is complete the results are verified by the network/server manager. This is done by negating false positives, (i.e., windows vulnerability on a unix system) or taking additional steps via penetration testing to validate the exposure. Inform management for a response of action Results from the scan are sent by the network/server manager to the CIO with a deadline of response. The manager works with their staff to schedule the work to resolve the vulnerability and provides a response of a plan of action to the analyst for the quarterly report. Critical vulnerabilities with immediate impact are expedited as emergency CMR. Schedule an Emergency CMR Emergency CMs are implementing within 48 hours with CIO approval. Schedule a standard CMR - Standard CMs occur with a 2 week delay in implementation to allow business planning during the maintenance window. Build, Test, and implement vulnerability resolution Once a CM is approved the respective area proceeds with implementation. Testing may occur before-hand if a test/development environment is available.

Conduct post implementation scan to verify resolution Once the change is implemented the analyst rescans for the vulnerability to verify the resolution. If the vulnerability is still present another solution may be attempted or alternative compensating controls but in the event there is no solution it becomes a risk that would need to be accepted by the CIO. 6.0 RISK ASSESSMENT AND PRIORITIZATION UMCES currently uses the Common Vulnerability Scoring System (CVSS) for all Common Vulnerabilities and Exposures (CVE) provided by the National Vulnerability Database. Scoring for non-cve vulnerabilities is provided by UB s vulnerability scanning tool. A priority is placed on patching or mitigating the vulnerability based on these scores and the logical location of the vulnerability within UMCES s network infrastructure. Remediation occurs within 10 business days for critical vulnerabilities. UMCES also documents patches to critical systems via a CMR. Severity is assigned to vulnerabilities by the exposure to the attack vector and the risk to the IT environment. Based from the scanning software, the logical location of the vulnerability and current activity of the exploited; the vulnerability is given one of two ratings. A critical rating is given to the vulnerability if it is activity being exploited (a known exploit is public) and there is no current mitigation within the IT environment. A high rating is given if the vulnerability is not being exploited and mitigation is in place lessening the immediate risk. High severity vulnerabilities are addressed within 30 business days. (Table 1.) Table 1. Shows the rating UMCES uses for vulnerabilities and the remediation time. Severity Description Remediation Time Frame Critical High Activity being exploited (a known exploit is public) and there is no mitigation the priority is critical. If it is not being exploited and mitigation is in place the priority is high. 10 business days 30 business days

7.0 EFFECTIVENESS MONITORING In order to ensure the effectiveness of the Vulnerability Management Policy, the CIO will conduct a monthly scan and create an update report. This report will collect information and maintain a status per month. The information collected will include the following categories as shown in Table 2 below: Total Systems, Systems w/ Critical Vulnerabilities, Resolved within 30 days, Repeat Can t Mitigate or Accept Risk and New Systems w/ Critical Vulnerabilities. (Table 2) Monthly Scan Reports January February Total Systems 437 437 Systems w/ Critical Vulnerabilities 5 5 Resolved within 30 days Repeat - Can't Mitigate or Accept Risk 5 New Systems w/ Critical Vulnerabilities 8.0 METRICS Metrics must provide relevant and supportive information to have value. Currently, IT reports vulnerability metrics to the USM quarterly. Version History 1.0 Initial Draft.. 4/13/15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information