Sample Vulnerability Assessment Standard:
Document History
| Version | Date | Revised By | Description |
| 1.0 | 1 January 2010 <Current date> | Michael D. Peters <Owners's name> | This version replaces any prior version. |
Document Certification
| Description | Date Parameters |
| Designated document recertification cycle in days: | 30 - 90 - 180 - 365 <Select cycle> |
| Next document recertification date: | 1 July 2010 <Date> |
Vulnerability Assessment Standard
The <Your Company Name> (the "Company) Sample Vulnerability Assessment and Management Policy defines objectives for establishing specific standards on the assessment and ongoing management of vulnerabilities.
This Vulnerability Assessment Standard builds on the objectives established in the Sample Vulnerability Assessment and Management Policy, and provides specific instructions and requirements for assessing and prioritizing vulnerabilities.
I. Scope
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to and use of Company Information Assets, are covered by this standard and must comply with associated guidelines and procedures.
Information assets are defined in the Sample Asset Identification and Classification Policy.
Risk refers to the likelihood of loss, damage, or injury to information assets. Risk is present if a threat can exploit an actual vulnerability to adversely impact a sensitive information asset.
Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.
Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.
Vulnerabilities refer the weaknesses in information system and procedures including technical, organizational, procedural, administrative, or physical weaknesses.
II. Requirements
A. Assessment
- 1. Vulnerability assessments of the systems, networks, and applications that store, process, or transmit Company information assets should be conducted on a routine basis according to the confidentiality classification:
- 1. Vulnerability assessments of the systems, networks, and applications that store, process, or transmit Company information assets should be conducted on a routine basis according to the confidentiality classification:
Confidentiality Classification Review Interval (at a minimum) Public Annually Internal Use Only Annually Confidential Semi-annually Restricted Quarterly
- 2. Vulnerability assessments of networks must cover, at a minimum, the following areas:
- 2. Vulnerability assessments of networks must cover, at a minimum, the following areas:
- Probing of service ports to identify unauthorized services
- Probing of service ports to identify unauthorized services
- Testing for known vulnerabilities for authorized service ports
- Testing for known vulnerabilities for authorized service ports
- Analysis of network traffic to ensure encryption controls have been implemented in accordance with the Sample Encryption Standard and Sample Information Handling Standard.
- Analysis of network traffic to ensure encryption controls have been implemented in accordance with the Sample Encryption Standard and Sample Information Handling Standard.
- 3. Vulnerability assessments of servers must cover, at a minimum, the following areas:
- 3. Vulnerability assessments of servers must cover, at a minimum, the following areas:
- Review of user and system accounts to ensure identification and authentication controls and requirements conform to the Sample Access Control Standard.
- Review of user and system accounts to ensure identification and authentication controls and requirements conform to the Sample Access Control Standard.
- Review of installed applications and running services to ensure conformance to Company-approved configurations and identify unauthorized applications and services.
- Review of installed applications and running services to ensure conformance to Company-approved configurations and identify unauthorized applications and services.
- Analysis of auditing configurations to ensure that auditing is enabled and security events are logged and processed in accordance with the Sample Auditing Standard.
- Analysis of auditing configurations to ensure that auditing is enabled and security events are logged and processed in accordance with the Sample Auditing Standard.
- Analysis of directory and file level access controls for critical system files and sensitive data files to ensure encryption and protection in accordance with the Sample Encryption Standard and Sample Access Control Standard.
- Analysis of directory and file level access controls for critical system files and sensitive data files to ensure encryption and protection in accordance with the Sample Encryption Standard and Sample Access Control Standard.
- Analysis of system and data backups controls and requirements outlined in the Sample Availability Protection Standard.
- Analysis of system and data backups controls and requirements outlined in the Sample Availability Protection Standard.
- 4. Vulnerability assessments of applications must cover, at a minimum, the following areas:
- 4. Vulnerability assessments of applications must cover, at a minimum, the following areas:
- Analysis of applications that authenticate and/or authorize users to determine conformance to the controls and requirements outlined in the Sample Access Control Standard and Sample Encryption Standard.
- Analysis of applications that authenticate and/or authorize users to determine conformance to the controls and requirements outlined in the Sample Access Control Standard and Sample Encryption Standard.
- Analysis of applications that store, process, and/or transmit sensitive Company information to determine conformance to the Sample Access Control Standard.
- Analysis of applications that store, process, and/or transmit sensitive Company information to determine conformance to the Sample Access Control Standard.
- Testing for known vulnerabilities including but not limited to backend compromises, backdoors, logic error handling, buffer overflows, ciphers, scripting, and variable checking.
- Testing for known vulnerabilities including but not limited to backend compromises, backdoors, logic error handling, buffer overflows, ciphers, scripting, and variable checking.
- Testing to determine if applications respond appropriately to invalid or corrupt input.
- Testing to determine if applications respond appropriately to invalid or corrupt input.
- 5. Vulnerability assessments shall be conducted on information systems after significant changes to production IT environments.
- 5. Vulnerability assessments shall be conducted on information systems after significant changes to production IT environments.
- 6. Vulnerability assessments shall be conducted on information systems scheduled for deployment within production environments. Identified vulnerabilities must be mitigated prior to deployment.
- 6. Vulnerability assessments shall be conducted on information systems scheduled for deployment within production environments. Identified vulnerabilities must be mitigated prior to deployment.
- 7. Vulnerability assessments shall be performed, in accordance with the Sample Physical Access Standard on the physical access controls for Company facilities and areas that serve as the physical location for servers and networks that store, process, and transmit "Confidential" or "Restricted" information.
- 7. Vulnerability assessments shall be performed, in accordance with the Sample Physical Access Standard on the physical access controls for Company facilities and areas that serve as the physical location for servers and networks that store, process, and transmit "Confidential" or "Restricted" information.
B. Prioritization
- 1. The findings from the vulnerability assessments should be rated and prioritized according to the risk and potential impact to Company information assets if exploited.
- Vulnerability ratings include:
- 1. The findings from the vulnerability assessments should be rated and prioritized according to the risk and potential impact to Company information assets if exploited.
Vulnerability Rating Description Potential Impact High-risk Vulnerabilities that can be exploited by threats and pose an immediate danger to the security of a system, network, or application. Severe to Catastrophic Medium-risk Vulnerabilities could contribute to an eventual exploitation or undesired event. Limited to Moderate Low-risk Vulnerabilities that are not likely to be exploited by threats to the network and connected systems at the time, but should be noted. None to Low
III. Responsibilities
The Chief Information Security Officer (CISO) approves the Vulnerability Assessment Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Vulnerability Assessment Standard.
Company management is responsible for ensuring that the Vulnerability Assessment Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for planning vulnerability assessment activities.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the Vulnerability Assessment Standard and associated guidelines; ensuring vulnerability assessments are performed; and participating in the planning and closing phases of vulnerability assessments.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; participating in vulnerability assessments; assisting with prioritizing assessed vulnerabilities; and notifying appropriate Company personnel of identified and assessed vulnerabilities on information systems for which they are responsible.
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for reporting suspected or actual vulnerabilities to <Specify Contact> in a timely manner.
IV. Enforcement and Exception Handling
Failure to comply with the Vulnerability Assessment Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.
Requests for exceptions to the Vulnerability Assessment Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Vulnerability Assessment Standard.
V. Review and Revision
The Vulnerability Assessment Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.
Approved: _______________________________________________________
- Signature
- Signature
- <Insert Name>
- <Insert Name>
- Chief Information Security Officer
- Chief Information Security Officer