Vulnerability Management Policy

Similar documents
Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Wellesley College Written Information Security Program

College of DuPage Information Technology. Information Security Plan

PII Personally Identifiable Information Training and Fraud Prevention

Document Title: System Administrator Policy

Information Security Program

Virginia Commonwealth University Information Security Standard

R345, Information Technology Resource Security 1

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

Data Management & Protection: Common Definitions

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Information Security Policy

Network Security Policy

BERKELEY COLLEGE DATA SECURITY POLICY

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

Information Resources Security Guidelines

CSR Breach Reporting Service Frequently Asked Questions

Information Technology Policy

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

Standard: Information Security Incident Management

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Lunch & Learn Series Subscribe!

HIPAA Compliance Evaluation Report

Network Service Policy

Gramm Leach Bliley Act. GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev. 7/1/2007

INFORMATION SECURITY California Maritime Academy

How To Protect Research Data From Being Compromised

INFORMATION SECURITY Humboldt State University

Contact: Henry Torres, (870)

Utica College. Information Security Plan

BALTIMORE CITY COMMUNITY COLLEGE INFORMATION TECHNOLOGY SECURITY PLAN

Virginia Commonwealth University School of Medicine Information Security Standard

New River Community College. Information Technology Policy and Procedure Manual

University of Pittsburgh Security Assessment Questionnaire (v1.5)

The Value of Vulnerability Management*

DSU Identity Theft Prevention Policy No. DSU

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

Risk Assessment Guide

Information Security Plan May 24, 2011

Network & Information Security Policy

Information Security Policy

Specific observations and recommendations that were discussed with campus management are presented in detail below.

DHHS Information Technology (IT) Access Control Standard

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Security Awareness Training Policy

Keeping watch over your best business interests.

Policy Considerations for Securing Electronic Data

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

DATA SECURITY AGREEMENT. Addendum # to Contract #

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Information Technology Cyber Security Policy

Information Security Program Management Standard

PII = Personally Identifiable Information

Research Support Council (RSC) - What Data is Sensitive and How

HIPAA Privacy and Information Security Management Briefing

STATE OF NEW JERSEY IT CIRCULAR

Valdosta State University. Information Resources Acceptable Use Policy

Rowan University Data Governance Policy

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

Virginia Commonwealth University School of Medicine Information Security Standard

HIPAA Security Alert

UCF Security Incident Response Plan High Level

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Third Party Security Requirements Policy

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Security Incident Management Guidelines

05.0 Application Development

Data Security Incident Response Plan. [Insert Organization Name]

IT Compliance Volume II

Compliance and Industry Regulations

<COMPANY> P01 - Information Security Policy

Security Breaches Under the NC Identity Theft Protection Act: Basic Information for Local Health Departments

GRINNELL COLLEGE CREDIT CARD PROCESSING AND SECURITY POLICY

IT Security Compliance Monitoring: Dealing with Increasing Demands

C. Author(s): David Millar (ISC Information Security) and Lauren Steinfeld (Chief Privacy Officer)

Network Security Policy

Office of Inspector General

PII Compliance Guidelines

Institutional Data Governance Policy

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

SUPPLIER SECURITY STANDARD

Responsible Access and Use of Information Technology Resources and Services Policy

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

The Business Case for Security Information Management

INFORMATION TECHNOLOGY SECURITY STANDARDS

Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation

Information Security Policy

INFORMATION TECHNOLOGY RISK MANAGEMENT PLAN

Practical Guidance for Auditing IT General Controls. September 2, 2009

Transcription:

Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully scanned at least monthly, and preferably weekly, for vulnerabilities. Any detected vulnerabilities must be remediated in accordance with the specific timeframes described in this Policy. To ensure that scans are comprehensive and accurate, scans should be performed by users logged in with Administrator-level access on the respective computer device. Scope This Policy establishes a framework for identifying and promptly remediating vulnerabilities to minimize security breaches associated with unpatched vulnerabilities. Audience It is imperative that all System or Application Administrators adhere to this Policy. This policy applies to all Users (faculty, students, staff, temporary employees, contractors, outside vendors, and visitors to campus) who have access to information or data that constitutes the University s Sensitive Information or who have responsibility for Mission-Critical computing devices. Users in this group must be aware of University requirements regarding scanning and patching. IT personnel are responsible for assisting the Users they support with compliance with this policy. Compliance Failure to adhere to this policy may put University information assets at risk and may have disciplinary consequences for employees up to and including termination of employment. Students who fail to adhere to this Policy will be referred to the Honor System. Contractors and vendors who fail to adhere to this 082911v1Vulnerability Management Policy Page 1

Policy may face termination of their business relationships with the University. Violation of this policy resulting in the unauthorized disclosure of Protected Health Information or Personal Identifying Information (see the definition of Sensitive Information below) may also carry the risk of civil or criminal penalties. Definitions Administrator (System or Application): Generally, a University staff member who manages and maintains computer devices for the University and is authorized to have access beyond that of an end user. Critical Asset: Any system that serves or supports a Mission-Critical function or that stores or processes Sensitive Information. Mission-Critical Resource: Includes any resource that is critical to the mission of the University and any device that is running a mission-critical service for the University or a device that is considered mission critical based on the dependency of users or other processes. Mission-critical services must be available. Typical mission-critical services have a maximum downtime of three consecutive hours or less. Mission-critical resources for Information Security purposes include information assets, software, hardware, and facilities. The payroll system, for example, is a Mission-Critical Resource. Sensitive Information: Sensitive Information includes all data, in its original and duplicate form, which contains: Personal Identifying Information, as defined by the North Carolina Identity Theft Protection Act of 2005. This includes employer tax ID numbers, drivers' license numbers, passport numbers, SSNs, state identification card numbers, credit/debit card numbers, banking account numbers, PIN codes, digital signatures, biometric data, fingerprints, passwords, and any other numbers or information that can be used to access a person's financial resources, Protected Health Information as defined by HIPAA, Student education records, as defined by the Family Educational Rights and Privacy Act (FERPA), Customer record information, as defined by the Gramm Leach Bliley Act (GLBA), Card holder data, as defined by the Payment Card Industry (PCI) Data 082911v1Vulnerability Management Policy Page 2

Security Standard, Confidential personnel information, as defined by the State Personnel Act, and Information that is deemed to be confidential in accordance with the North Carolina Public Records Act. Sensitive data also includes any other information that is protected by University policy or federal or state law from unauthorized access. Sensitive Information must be restricted to those with a legitimate business need for access. Examples of sensitive information may include, but are not limited to, social security numbers, system access passwords, some types of research data (such as research data that is personally identifiable or proprietary), public safety information, information concerning select agents, information security records, and information file encryption keys. Reason for Policy Many colleges and universities have experienced data breaches that have had significant consequences for these institutions and for their students, employees, alumni, and patients. In many cases, an effective vulnerability management program could have identified and remediated the underlying vulnerabilities, which allowed the breach to occur. Detection of Vulnerabilities and Remediation University departments must develop and adhere to procedures for vulnerability management, including the regular scanning of systems storing or processing Sensitive Information and Mission Critical systems. In particular, systems storing the University s Sensitive Information or systems considered to be Mission Critical for UNC-Chapel Hill must be fully scanned for vulnerabilities at least monthly and preferably weekly, using scanning software approved by the Information Security Office (445-9393 or security@unc.edu). The Information Security Office (ISO) makes a number of shared vulnerability assessment tools available to customers for scanning desktops and servers, web applications, and databases. In order to ensure scanning and remediation efforts are completed in a timely manner, Sensitive Information systems or systems considered to be Mission Critical for UNC-Chapel Hill must be registered with the ISO. 082911v1Vulnerability Management Policy Page 3

To ensure that scans are comprehensive and accurate, scans should be performed by Users logged in with Administrator-level access on the respective computer device. Vulnerability management procedures should also address remediating detected vulnerabilities, including timely patch management and testing change management procedures. It is recommended that changes be documented in writing for future reference. Any detected vulnerabilities must be remediated in accordance with the specific timeframes described below. For purposes of remediation and mitigation, the severity rating assigned by the vulnerability scanning tool used by ISO will serve as the basis for classifying a vulnerability unless specifically indicated as an exception by the ISO. The following classifications describe the severity levels that can be assigned to a vulnerability. Vulnerability classifications for desktops and servers: Urgent denotes a vulnerability through which an intruder can easily gain control at the administrator level of any affected host. This class of vulnerabilities poses the highest risk for a system-wide compromise of the UNC Chapel Hill network. Critical denotes a vulnerability through which an intruder could gain access to the host at the administrator level or could possibly access Sensitive Information stored on the host. While this class of vulnerabilities is extremely serious, the risk of a breach or compromise is not as urgent as with a critical vulnerability. Serious denotes a vulnerability that may allow an intruder to gain access to specific information stored on the host, including security settings. While not immediately associated with a compromise of an affected host, these vulnerabilities allow intruders to gain access to information that may be used to compromise the host in the future. Medium Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions. 082911v1Vulnerability Management Policy Page 4

Minimal denotes vulnerabilities that do not pose an immediate threat to the host or the UNC-Chapel Hill network. These vulnerabilities refer mostly to weaknesses in a device that allow an intruder access to information that may be used in the future to compromise the host Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities. Departments may opt to mitigate these vulnerabilities based on their network architecture or set up a timeframe for remediation based on the information stored on the device. Any identified vulnerabilities, either related to missing patches or improper configuration, must be remediated within the timeframes specified below based on the degree of associated severity. For vulnerability remediation, System Administrators should perform appropriate testing and follow existing changemanagement procedures to ensure proper patch installation for affected systems. Vulnerability Level Remediation and Mitigation Table After detection, remediation required within less than Sensitive and Critical Assets Exception Approval Urgent 1 month ISO Critical 1 month ISO Serious 1 month Department Business Manager or Designate Medium 1 month Department IT Manager Minimal 90 days Department IT Manager Non-Critical Assets Exception Approval Department IT Manager Related Documents Information Security Policy and related Procedures and Standards Password Policy for System and Application Administrators 082911v1Vulnerability Management Policy Page 5

General User Password Policy NC State CIO Manual Standard 040106 Technical Vulnerability Management Contacts Subject Contact Telephone FAX/E-Mail Policy Questions The University s 919-445-9393 919-445-9488 Report a Violation Request Information Security Consulting Information Security Office History Effective Date: Revised Date: 6/30/10 2/09/12 082911v1Vulnerability Management Policy Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information