Document No.: VCSATSP 100-030 Vulnerability and Penetration Testing Policy Revision: 7.0



Similar documents
Document No.: VCSATSP Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Access Policy

PCI DSS v3.0 Vulnerability & Penetration Testing

PCI Vulnerability Validation Report

Payment Card Industry (PCI) Penetration Testing Standard

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

June 19, Bobbi McCracken, Associate Vice Chancellor Financial Services. Subject: Internal Audit of PCI Compliance.

PCI-DSS Penetration Testing

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standard

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

PCI DSS Requirements - Security Controls and Processes

Client Security Risk Assessment Questionnaire

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

SecurityMetrics Introduction to PCI Compliance

G-Cloud Pricing. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

How To Protect Your Data From Being Stolen

PCI Compliance. Network Scanning. Getting Started Guide

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Network Test Labs Inc Security Assessment Service Description Complementary Service Offering for New Clients

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Property of CampusGuard. Compliance With The PCI DSS

Data Security Standard (DSS) Compliance. SIFMA June 13, 2012

Four Keys to Preparing for a PCI DSS 3.0 Assessment

PCI Compliance Instructions

UCSB Credit Card Processing and PCI Compliance

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

NEW PENETRATION TESTING REQUIREMENTS, EXPLAINED

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

PCI Standards: A Banking Perspective

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Checklist for Vulnerability Assessment

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Transitioning from PCI DSS 2.0 to 3.1

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

SecurityMetrics. PCI Starter Kit

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

How To Protect A Web Application From Attack From A Trusted Environment

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

New PCI Standards Enhance Security of Cardholder Data

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

Introduction to PCI DSS

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI DSS Compliance Guide

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Vanderbilt University

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Payment Card Industry Compliance Overview

How to achieve PCI DSS Compliance with Checkmarx Source Code Analysis

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

The McAfee SECURE TM Standard

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

An article on PCI Compliance for the Not-For-Profit Sector

Presented By: Bryan Miller CCIE, CISSP

PCI DSS and SSC what are these?

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

CloudCheck Compliance Certification Program

PCI DSS. CollectorSolutions, Incorporated

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Q&A ADDENDUM FOR INFORMATION SECURITY VULNERABILITY ASSESSMENT PUBLISHED 10/20/2015

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Ready for an OCR Audit? Will you pass or fail an OCR security audit? Tom Walsh, CISSP

How To Protect Your Business From A Hacker Attack

Passing PCI Compliance How to Address the Application Security Mandates

ASV Scan Report Attestation of Scan Compliance

Annual Trustwave PCI Self Assessment Questionnaire (SAQ) Educational Presentation. Understanding the Merchants Responsibilities for PCI Compliance

Guided HIPAA Compliance

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

Overcoming PCI Compliance Challenges

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI Requirements Coverage Summary Table

Transcription:

DOCUMENT INFORMATION VCSATS Policy Number: VCSATSP 100-030 Title: Policy Owner: Effective Date: 5/1/2013 Revision: 7.0 Vulnerability and Penetration Testing Policy Infrastructure Manager TABLE OF CONTENTS DOCUMENT INFORMATION... 1 TABLE OF CONTENTS... 1 1. PURPOSE... 2 2. SCOPE... 2 3. RESPONSIBILITIES... 2 4. REFERENCES... 2 5. DEFINITIONS... 3 6. POLICY... 3 6.1 Vulnerability Testing... 3 6.2 Penetration Testing... 3 7. ENFORCEMENT... 4 8. COMPLIANCE REFERENCE INDEX... 4 9. HISTORY... 5 Page 1 of 5

1. PURPOSE This policy defines the guidelines for conducting vulnerability testing and penetration testing of systems within the VCSA division 45 C.F.R. 164.304(c)(1). 2. SCOPE This policy applies to Vice Chancellor Student Affairs Technology Services. 3. RESPONSIBILITIES TABLE 1 - ROLES AND RESPONSIBILITIES Role Responsibility Infrastructure Manager Oversee the performance of this process Ensure this document remains current and is updated whenever changes to the process occur Review and approve changes to this document Director Technology Services Review and approve changes to this document 4. REFERENCES TABLE 2 - REFERENCES Reference VCSATSP 100-010 Policy Guidance Location VCSATS Policy Center Page 2 of 5

5. DEFINITIONS The terms and definitions found in VCSATSP 100-010 Policy Guidance, as referenced in section 4 references, shall apply, unless a term is expressly defined here. The scope of every term expressly defined in this section is limited to this document. TABLE 3 - LOCAL DEFINITIONS Term, Abbreviation, Acronym None Definition 6. POLICY Vulnerability testing and penetration testing is required for Restricted systems. Optionally, non-restricted systems may also apply these standards. 6.1 Vulnerability Testing 6.1.1 VCSATS must conduct vulnerability testing on all public-facing systems and Restricted systems with testing of Restricted systems occurring on a regularly scheduled basis PCI DSS 11.2.1 (a). 6.1.2 External Vulnerability Testing (scans) of Restricted systems must be conducted on a regularly scheduled basis PCI DSS 11.2.2 (a). 6.1.3 Upon any configuration change to the system, an internal scan must be performed 11.2.3 (a).. 6.1.4 Failed vulnerability scans must be addressed and followed by a retest, repeating these steps until the vulnerability testing completes successfully 11.2.3 (b). PCI DSS PCI DSS 11.2.1 (b), PCI DSS 11.2.2 (b), PCI DSS 6.1.5 Upon identification of new vulnerability issues, Firewall configuration standards shall be updated accordingly. 6.2 Penetration Testing 6.2.1 External and internal penetration testing shall be performed at least once a year 11.3 (a). 6.2.2 External and internal penetration testing shall be performed after any significant infrastructure or application changes PCI DSS 11.3 (a). 6.2.3 Penetration testing shall minimally consist of network-layer and application-layer penetration tests PCI DSS 11.3.1, PCI DSS 11.3.2. PCI DSS Page 3 of 5

6.2.4 Exploitable vulnerabilities noted during penetration testing shall be corrected and an adequate retest performed to demonstrate that identified exploit is addressed (b) PCI DSS 11.3 7. ENFORCEMENT Any employee found to have violated this policy may be subject to disciplinary action. 8. COMPLIANCE REFERENCE INDEX 45 C.F.R. 164.304(c)(1)... 2 PCI DSS 11.2.1 (a)... 3 PCI DSS 11.2.1 (b)... 3 PCI DSS 11.2.2 (a)... 3 PCI DSS 11.2.2 (b)... 3 PCI DSS 11.2.3 (a)... 3 PCI DSS 11.2.3 (b)... 3 PCI DSS 11.3 (a)... 3 PCI DSS 11.3 (b)... 4 PCI DSS 11.3.1... 3 PCI DSS 11.3.2... 3 Page 4 of 5

9. HISTORY Fogbugz Case Description of Changes 1513 Create initial version of this policy. 2352, 2353 Approval requested for version 1.0 of this policy. Approval was not received. 1513 Updated diagram to version 1.0 which added a swimlane for Approved Scanning Vendor (ASV) 2382, 2383 Requested approvals for version 2.0 of this policy 3209 Updates made in support of UCOP for PnC Hosting project. 3626, 3627 Requested approvals for version 3.0 of this policy (Rejected) 3638 Corrected issues found during approval review. 3658, 3660 Requested approvals for version 4.0 of this policy (Rejected) 3713 Corrected issues found during approval review. 3746, 3747 Requested approvals for version 5.0 of this policy. 4910, 7439 Updated document number to match the approved naming convention. Changed references from critical and PCI to Restricted. Added section 6.4 7634, 7635 Requested approvals for version 6.0 of this policy. 8466, 8660 Added HIPAA references, PCI DSS references, and support for penetration testing. 8902, 8903 Requested approval for version 7.0 of this policy. Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information