How To Use Qqsguard At The University Of Minneapolis



Similar documents
Qualys Scanning for PCI Devices University of Minnesota

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

Managing Qualys Scanners

Sample Vulnerability Management Policy

GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

Vulnerability Management Isn t Simple (or, How to Make Your VM Program Great)

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

Security and Compliance Suite Rollout Guide. August 4, 2015

PCI Vulnerability Validation Report

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

PCI Compliance. Network Scanning. Getting Started Guide

TRIPWIRE PURECLOUD. TRIPWIRE PureCloud USER GUIDE

Qualys PC/SCAP Auditor

STATE OF NEW JERSEY IT CIRCULAR

QualysGuard Asset Management

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

CLOCKWORK Training Manual and Reference: Inventory. TechnoPro Computer Solutions, Inc.

Security and Compliance Suite Evaluator s Guide. August 11, 2015

CSUSB Vulnerability Management Standard CSUSB, Information Security & Emerging Technologies Office

Asset management guidelines

Delivering IT Security and Compliance as a Service

How to Grow and Transform your Security Program into the Cloud

IBM. Vulnerability scanning and best practices

TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE

Secret Server Qualys Integration Guide

Reclamation Manual Directives and Standards

WEB APPLICATION SECURITY TESTING GUIDELINES

Network Detective. Network Detective Inspector RapidFire Tools, Inc. All rights reserved Ver 3D

Online Compliance Program for PCI

Novell ZENworks Asset Management

Vulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

How To Manage A Vulnerability Management Program

Delivering IT Security and Compliance as a Service

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Software Vulnerability Assessment

Managed Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014

SyAM Software Management Utilities. Performing a Power Audit

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Patch Management Procedure. e-governance

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

PineApp Surf-SeCure Quick

Security and Compliance Suite

ISSA SILICON VALLEY SECURITY METRICS SO WHAT?

Vulnerability Management ROI Calculator User Guide. v2.0 Monday, September 29, Copyright 2008, Lumension Security

CRM Sales PDF Productivity Pack Configuration and User Guide Microsoft Dynamics CRM 4.0

Extreme Networks Security Analytics G2 Vulnerability Manager

rating of 5 out 5 stars

Elastic Detector on Amazon Web Services (AWS) User Guide v5

The Convergence of IT Security and Compliance with a Software as a Service (SaaS) approach

QualysGuard Tips and Techniques Policy Compliance: File Integrity Monitoring

Offline Scanner Appliance

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

User s Guide. Skybox Risk Control Revision: 11

ASV Scan Report Attestation of Scan Compliance

The Top 10 Reports for Managing Vulnerabilities

STATE OF ARIZONA Department of Revenue

ESISS Security Scanner

GOALS. Server Management Program Review / Training. To Review SMP structure, requirements, logistics. To increase quality and benefit of documentation

How To Use A Policy Auditor (Macafee) To Check For Security Issues

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

Assets, Groups & Networks

Digital Pathways. Harlow Enterprise Hub, Edinburgh Way, Harlow CM20 2NQ

SANS Top 20 Critical Controls for Effective Cyber Defense

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

SecureGRC TM - Cloud based SaaS

Software Requirements. Specification. Day Health Manager. for. Version 1.1. Prepared by 4yourhealth 2/10/2015

Cyber Security RFP Template

Asset Management. Physical Inventory. Core-CT Procedures

Metasploit Pro Getting Started Guide

Server Account Management

Did you know your security solution can help with PCI compliance too?

Introduction to QualysGuard IT Risk SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

IBM Security SiteProtector System Configuration Guide

Vulnerability Scan Results in XML

Payment Card Industry (PCI) Executive Report 08/04/2014

How to Get from Scans to a Vulnerability Management Program

The Value of Vulnerability Management*

Penetration Testing and Vulnerability Scanning

IBM Security QRadar Vulnerability Manager Version User Guide IBM

Nessus. A short review of the Nessus computer network vulnerability analysing tool. Authors: Henrik Andersson Johannes Gumbel Martin Andersson

Advanced Event Viewer Manual

What is Penetration Testing?

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Vulnerability Management with the Splunk App for Enterprise Security

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

ProCAP Transfer with Omneon Interface

MatriXay Database Vulnerability Scanner V3.0

YOUR NETWORK SECURITY WITH PROACTIVE SECURITY INTELLIGENCE

IBM Security QRadar SIEM Version MR1. Administration Guide

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

4. Getting started: Performing an audit

IT Security & Compliance. On Time. On Budget. On Demand.

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Transcription:

Qualys is a vulnerability scanner that is used for critical servers and servers subject to compliance reporting. This scanner is not generally to be used for desktop or laptop scanning. OIT has purchased a limited number of licenses (licensed by IP address scanned) for scanning critical and other important servers. This document provides background and responsibilities for how QualysGuard scanning, mapping and ticket remediation tracking will be used at the University of Minnesota by departments. Qualys maintains more extensive documentation of their product under Help on the QualysGuard Enterprise Suite menu bar. Business Units Large/decentralized units (i.e., OIT) will have a Business Unit and an assigned Business Unit Manager. The Business Unit will be able to run discovery maps and vulnerability scans and run reports on the IP s assigned to their Business Unit. Priority must be given to critical servers and servers subject to compliance reporting. Business Unit Manager Responsibilities (BUM) Define responsibilities of the other unit managers, scanners and readers in your Business Unit. Manage users (other unit managers, scanners and readers) for your Business Unit. This includes set up and deletions. Assign the users to Asset Groups. Identify to University Information Security (e-mail infosecurity@umn.edu) a list of subnets your area is responsible for. This will be used for discovery mapping your section of the network, similar to NMAP. Discovery maps are free. Identify to University Information Security (e-mail infosecurity@umn.edu) a list of IP/IP Ranges for servers that your unit is responsible for scanning. Each IP scanned costs money, avoid scanning IP addresses not assigned to a host. Set up and maintain the list of IP addresses that should be included in the Critical Servers Reporting Asset Group for your Business Unit following the naming convention for Asset Groups using the corresponding Business Impact level 5 (critical). Manage the other Asset Groups that you create to meet your scanning/reporting needs, following the naming convention for Asset Groups. Use the Business Impact level that meets your reporting needs. Discovery map your section of the network at least monthly and review the Map reports for unknown devices. Scan all IP addresses in the Critical Server Reporting Asset Groups monthly. Review open ticket remediation for IP s assigned to your Business Unit or Asset group. Automated ticket generation will be turned on by Asset Group by the Business Unit Manager. In summary, maintain the following: IP addresses in the Critical Servers Reporting Asset Groups Review vulnerability management for servers scanned with priority for the Critical Servers Reporting Asset Groups, see separate document- Qualys Vulnerability Data Review for Audit Reporting. 3/23/2015 Page 1 of 8

User accounts for your Business Unit Optional: o Set up additional Remediation Policies for your area. o Set up additional report templates. o Maintain Host Asset Information. University Information Security will use the Function to track Solutionary/Seccuris OneStone Customer # (S- 1511) Critical Servers Reporting Asset Groups: These asset groups should contain the critical servers for your area and be assigned Business Impact=5 (critical). These Asset Groups will be used for reporting vulnerability management to the internal audits department. Critical Servers include: Security Level High or Medium per the Data Security Classification Policy. Naming Conventions Asset Groups: COLLEGE.DEPT.subgroup _??? (???-each area can define) Critical Servers Reporting Asset Groups: o CRITICAL.COLLEGE.DEPT Report Templates: COLLEGE.DEPT.??? (???-each area can define) See attached sheet for naming convention assigned for your unit. Vulnerabilities Qualys uses 3 categories for classifying vulnerabilities (confirmed, potential and information). Within the category, there are 5 levels for vulnerabilities. o Confirmed (red) Security weaknesses verified by an active test o Potential (yellow) Security weaknesses that need manual verification o Information (blue) Configuration data High Risk Vulnerabilities o Required: Fix Confirmed 4 & 5 (red) - must have the high severity vulnerability mitigated (i.e., patching/configuration, other compensating control or documented as a false positive) for internal audits reporting. o Hosts involved in credit card processing must also mitigate all vulnerabilities marked as PCI Failed. o Documentation of the mitigation plan for your high severity vulnerabilities must be in the Qualys Ticket Remediation. Tickets for unmitigated vulnerabilities need to be documented within 30 days of scan. Priorities for Other Vulnerabilities o Recommended: Review Potential 4 & 5 (yellow) and fix, if applicable o Recommended: Review Confirmed 1, 2 & 3 (red) and fix, if applicable o Recommended: Review & assess the risk with the other vulnerabilities and fix if applicable 3/23/2015 Page 2 of 8

Additional information on Set Up, Scans, Maps, Ticket Remediation & Reports Asset Groups (See Asset Group Image) o Follow the naming conventions for Asset Groups. o IPs, list all the IP addresses or IP ranges to be included in the Asset Group. o Scanner Appliances, select all listed. o Business/CVSS Information: o Critical Server Asset Groups- change the default Business Impact to 5 (critical). o Other Asset Groups - the information on this tab is optional Asset Group Business/CVSS Information o Division, Function, Location fields and Business Impact can be maintained for each Asset Group by the user creating the Asset Group. o Business Impact must be set to 5 for the Critical Servers Asset Groups. o CVSS Environmental Metric Info is not being used. Host Asset Information o Location, Function and Asset Tag fields are maintained on individual host IP s. o University Information Security will use the Function field to make notations (i.e., S-1511) related to Solutionary/Seccuris OneStone monitoring of an IP. User Accounts o General Information, all fields with an asterisk are required. o User role, select Scanner scan & map IP addresses in your assigned Asset Groups; create & run reports and manage tickets. Reader create & run reports for your assigned Asset Groups and manage tickets Unit Manager same privileges as Scanner with the exception, you manage user accounts for your unit o Asset Group, assign one or more Asset Groups to the user. o Advanced options, displays Permissions and Options tabs. Scans (See Scan Asset Group, Scan Host and Scheduled Scan images) o There are multiple scan policies and options for scheduling scans. Here are the basics. Schedule scan or scan immediately Option Profile: U of M Initial Options (default); PCI scans use Payment Card Industry Options PCI policy can be more aggressive Scanner Appliance: All Scanners in Asset Group; External for scan from outside the U network. 3/23/2015 Page 3 of 8

Select an internal scan appliance when listing IP addresses or ranges. If not scanning an entire asset group, the external scanner is used instead of internal. Scan by Asset Group, Select IPs or IP Range o When the scan is completed, users can view the scan report. Ticket Remediation o The main remediation policy will create tickets for all confirmed 4 & 5 vulnerabilities for the IP s in the Critical Servers Reporting Asset Groups. Tickets will be assigned to the user running the scan. Deadline date for determining overdue tickets will be 30 days. o Business Units can set up additional remediation policies for their area. Reports o Technical Report- Select Asset Group or IP Results as of the last scan Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5) Details on how to fix Very large report o Technical Report-Select Scan Results Results from a specific scan Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5) Details on how to fix Very large report o UMN-Summary Report Results as of the last scan Includes all vulnerabilities (confirmed, potential, info) at all levels (1-5) No detail on how to fix o UMN-High Severity Report Results as of the last scan Includes confirmed vulnerabilities at levels 4 & 5 Details on how to fix o UMN-High Severity Summary Report OIT Sec Reporting Results as of the last scan Includes confirmed vulnerabilities at levels 4 & 5 Sorted by vulnerability and lists the vulnerable hosts No detail on how to fix Maps o Similar to nmap o There are multiple discovery map policies and options for scheduling scans. Here are the basics. Schedule map or map immediately Option Profile: University of Minnesota Initial Options (default) 3/23/2015 Page 4 of 8

Scanner Appliance: All Scanners in Asset Group; External for scan from outside the U network Map by Asset Group, Select IPs or IP Range o When the map is completed, users can view the map report. 3/23/2015 Page 5 of 8

Images Asset Group 3/23/2015 Page 6 of 8

Scan Asset Group Scan Host 3/23/2015 Page 7 of 8

Scheduled Scan 3/23/2015 Page 8 of 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information