AHS Vulnerability Scanning Standard



Similar documents
AHS Flaw Remediation Standard

Security Control Standard

NOTICE: This publication is available at:

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Patch and Vulnerability Management Program

FSIS DIRECTIVE

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

NOTICE: This publication is available at:

UNITED STATES PATENT AND TRADEMARK OFFICE. AGENCY ADMINISTRATIVE ORDER Agency Administrative Order Series. Secure Baseline Attachment

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Information Security for Managers

2012 FISMA Executive Summary Report

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

EPA Classification No.: CIO P-04.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

United States Patent and Trademark Office

UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC INFORMATION SYSTEM CERTIFICATION AND ACCREDITATION (C&A)

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

THE TOP 4 CONTROLS.

FedRAMP Standard Contract Language

Information and Communication Technology. Patch Management Policy

ManageEngine Desktop Central Training

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

HHS Information System Security Controls Catalog V 1.0

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

IT Security Standard: Computing Devices

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Security Control Standard

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

How To Review The Security Plans Of Noaa

Penetration Testing Report Client: Business Solutions June 15 th 2015

UNITED STATES COMMISSION ON CIVIL RIGHTS. Fiscal Year 2012 Federal Information Security Management Act Evaluation

Get Confidence in Mission Security with IV&V Information Assurance

CSUSB Vulnerability Management Guidelines CSUSB, Information Security & Emerging Technologies Office

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Managing Vulnerabilities For PCI Compliance

Review of the SEC s Systems Certification and Accreditation Process

Project Delays Prevent EPA from Implementing an Agency-wide Information Security Vulnerability Management Program

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

EPA Classification No.: CIO P-09.1 CIO Approval Date: 08/06/2012 CIO Transmittal No.: Review Date: 08/06/2015

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections

Appendix 10 IT Security Implementation Guide. For. Information Management and Communication Support (IMCS)

CMS INFORMATION SECURITY ASSESSMENT PROCEDURE

PREFACE TO SELECTED INFORMATION DIRECTIVES CHIEF INFORMATION OFFICER MEMORANDUM

ASDI Full Audit Guideline Federal Aviation Administration

Security Testing and Vulnerability Management Process. e-governance

FINAL Version 1.0 June 25, 2014

8. Does this system collect, display, store, maintain or disseminate Personally Identifiable Information (PII)? Yes

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI

8070.S000 Application Security

INCIDENT RESPONSE CHECKLIST

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Final Audit Report FEDERAL INFORMATION SECURITY MANAGEMENT ACT AUDIT FY Report No. 4A-CI Date:

FISMA NIST (Rev 4) Shared Public Cloud Infrastructure Standards

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Patch Management Procedure. Andrew Marriott PATCH MANAGEMENT PROCEDURE.DOCX Version: 1.1

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

How To Write The Jab P-Ato Vulnerability Scan Requirements Guide

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

HEALTH INSURANCE MARKETPLACES GENERALLY PROTECTED PERSONALLY IDENTIFIABLE INFORMATION BUT COULD IMPROVE CERTAIN INFORMATION SECURITY CONTROLS

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Security Implications Associated with Mass Notification Systems

Security Standard: Servers, Server-based Applications and Databases

In Brief. Smithsonian Institution Office of the Inspector General

Data Management Policies. Sage ERP Online

Department of Veterans Affairs VA Directive 6004 CONFIGURATION, CHANGE, AND RELEASE MANAGEMENT PROGRAMS

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Title: Security Patch Management

Columbia College Process for Change Management Page 1 of 7

Office of Inspector General

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

5 FAH-11 H-500 PERFORMANCE MEASURES FOR INFORMATION ASSURANCE

U.S. OFFICE OF PERSONNEL MANAGEMENT OFFICE OF THE INSPECTOR GENERAL OFFICE OF AUDITS. Final Audit Report

Final Audit Report -- CAUTION --

SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

TABLE OF CONTENTS INTRODUCTION... 1 OVERVIEW... 1

NERC CIP VERSION 5 COMPLIANCE

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

05.0 Application Development

Vulnerability assessment tools

OFFICE OF INSPECTOR GENERAL

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

OFFICE OF INSPECTOR GENERAL

TRIPWIRE NERC SOLUTION SUITE

POSTAL REGULATORY COMMISSION

GFI White Paper PCI-DSS compliance and GFI Software products

Lots of Updates! Where do we start?

MANAGING THE CONFIGURATION OF INFORMATION SYSTEMS WITH A FOCUS ON SECURITY

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i.

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

Transcription:

AGENCY OF HUMAN SERVICES AHS Vulnerability Scanning Standard Jack Green 10/17/2013 The purpose of this procedure is to facilitate the implementation of the Vermont Health Connect s security control requirements for the Vulnerability Scanning (RA-1, RA-5, RA-5(1)) Controls.

Revision History Date Version Description Author.99 Draft received from HI and reviewed by Referentia 1.0 Created Document AHS 8/16/2013 2.0 Document revised for Jack Green VHC standards 10/17/2013 3.0 Procedures reviewed and adapted for VHC business processes and security requirements Jack Green

PURPOSE/STANDARD STATEMENT: The purpose of this procedure is to facilitate the implementation of Vermont Health Connect s (VHC) security control requirements for the Vulnerability Scanning (RA-1, RA-5, RA-5(1)) Controls. The information systems covered in this procedure document contain but are not limited to the following: VHC website VHC Portal VHC workstations and mobile phones Network Accounts E-Mail accounts SCOPE The scope of this standard includes the VHC and its constituent systems only STANDARD Vulnerability Scanning 1. Prior to commencing vulnerability scanning efforts, the following should be addressed: i. Scanner selection SOs shall evaluate the tools for use within their respective environments. 1. The network and host-based vulnerability scanner must provide the following capabilities: a. Identify active hosts on networks. b. Identify active and vulnerable services (ports) on hosts. c. Identify vulnerabilities associated with discovered operating systems and applications. 2. The VHC shall implement a suite of automated monitoring tools to more effectively monitor and identify vulnerabilities on networked computer servers. ii. Purpose A vulnerability scan must have a defined purpose. Vulnerability scanning happens periodically, as part of the information system authorization process, and during the risk assessment process. iii. Vulnerability scans are typically performed against all systems and for all known vulnerabilities.

iv. The SO shall conduct vulnerability scans to be performed as noted below: 1. Regularly scheduled scans must occur at most every 30 days. 2. Additional scheduled scans must occur after system updates or the identification of a major vulnerability. 3. Unscheduled scans may occur when deemed necessary by the ISSO. v. Scope/boundaries An active vulnerability scan must have a defined scope or boundary. vi. The scope must be clearly defined in written Rules of Engagement (ROE). vii. The scan must be limited to a specific information system, system(s), subnet(s), or network(s) within the realm of responsibility for the VHC. 1. If scans will occur outside the realm of responsibility for the VHC, then a memorandum of understanding (MOU) must be drafted and signed by the AO of each affected Agency. viii. Signatures/tests Compliance with the VHC s configuration standards must be tested. The signatures/tests that will be run against identified scope/boundaries should be selected as appropriate for the purpose of the vulnerability scanning. ix. Research potential negative impacts Once signatures/tests are selected, research should occur to determine if any of those signatures/tests may have a potential negative impact on the scope/boundaries selected. 2. Coordination/announcement Coordination with and/or notification to the relevant or affected parties, depending on the scope and purpose of the scans, must occur before an active vulnerability scan is performed, especially if that scan may result in a potential negative impact. 3. The VHC shall scan for vulnerabilities in the information system and hosted applications at least every 90 days for a system with a low system categorization. 4. High and Moderate systems shall be scanned weekly and when new vulnerabilities potentially affecting the system/applications are identified and reported. i. The security categorization of the information system must guide the frequency and comprehensiveness of the vulnerability scans. ii. Vulnerability scanning must include scanning for specific functions, ports, protocols, and services that should not be accessible to users or devices and for improperly configured or incorrectly operating information flow mechanisms. iii. The information system vulnerabilities list shall be updated at least weekly or when new vulnerabilities are released. 5. Vulnerability scanning and penetration testing must be used to assess the adequacy of security controls for the information system and adherence to federal and Agency requirements.

6. The VHC shall manage systems to reduce vulnerabilities through vulnerability testing and management, promptly installing patches, and eliminating or disabling unnecessary services. 7. Vulnerability scan reports and results from security control assessments must be analyzed. 8. External testing must be performed by a recognized independent security resource. i. Testing must, at a minimum, include remote scanning and probing to identify potential exploits and vulnerabilities. ii. Test results must capture all vulnerabilities and must include recommendations for implementing industry best practices solutions. iii. Testing must be conducted on specifically identified assets with the advice and consent of the CIO. 9. Vulnerability scanning must be conducted using scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards that: i. Enumerate platforms, software flaws, and improper configurations. ii. Format and make transparent, checklists and test procedures. iii. Measure vulnerability impact. 10. Vulnerability scans must have defined a clear scope for all vulnerability scanning activities and designate knowledgeable and trained individuals to perform the scans. 11. The following must be addressed before, during, and after the vulnerability scan: i. Update scanning software Before the vulnerability scan is performed, the vulnerability scanner must be updated with the latest patches and database signatures/tests. Scanners that are not maintained and out of date will not contain the most recent signatures/tests and, as a result, vulnerabilities could be missed. Scans performed by scanners that are not maintained are not valid for meeting the scanning requirements and results cannot be claimed on FISMA reporting or used in the security assessment and authorization process. ii. Perform scanning exercise The designated personnel shall perform the scan of the network and devices in accordance with the established ROE. iii. Verify system availability After completing the test, the designated personnel shall check system status directly or by coordinating with the system administration team to ensure that the test did not result in unintended consequences and that the system remains operational. 12. Once the vulnerability scanning has been completed, the results must be analyzed and documented in a vulnerability scan report. 13. The Program Manager shall review, approve, and sign all custom-developed code prior to deployment into production environments. i. The Program Manager may delegate this authority to another VHC employee in writing.

ii. This authority shall not be delegated to contractor personnel. 14. Discovered deficiencies must be added to the system POA&M for correction or mitigation as follows: i. Critical or High Vulnerabilities These must be reported immediately when verified. 1. SOs shall have 30 days to correct these after which a POA&M must be established. ii. Moderate Vulnerabilities These must be corrected within 60 days after which a POA&M must be established. iii. Low Vulnerabilities These must be corrected after high and moderate vulnerabilities are corrected as time permits. POA&Ms do not need to be established unless an aggregation of these vulnerabilities raises the risk to moderate or high. 15. The following corrective actions must be employed when necessary as a result of scanning for vulnerabilities: i. Upgrade or patch vulnerable systems to mitigate identified vulnerabilities as appropriate. ii. Deploy mitigating measures (e.g., management, technical, procedural) if the system cannot be immediately patched. iii. Improve the change management and configuration management program and procedures and standards to ensure that systems are upgraded routinely with the latest solutions. iv. Assign a specified team or person(s) responsible for monitoring vulnerability alerts and mailing lists, examine applicability to the Agency s environment, and initiate appropriate system changes. 16. Modify or recommend modifications to the Agency s security policies, architecture, or other documentation, processes or procedures to ensure that security practices include timely system updates and upgrades. IMPORTANT INFORMATION These procedures can be found at http://dvha-intra.ahs.state.vt.us/policies-protocols/infosec

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information