Sample Vulnerability Assessment Standard:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 14:11, 1 May 2010 by Mdpeters (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Document History


Version Date Revised By Description
1.0 1 January 2010 <Current date> Michael D. Peters <Owners's name> This version replaces any prior version.


Document Certification


Description Date Parameters
Designated document recertification cycle in days: 30 - 90 - 180 - 365 <Select cycle>
Next document recertification date: 1 July 2010 <Date>


Vulnerability Assessment Standard


The <Your Company Name> (the "Company) Sample Vulnerability Assessment and Management Policy defines objectives for establishing specific standards on the assessment and ongoing management of vulnerabilities.

This Vulnerability Assessment Standard builds on the objectives established in the Sample Vulnerability Assessment and Management Policy, and provides specific instructions and requirements for assessing and prioritizing vulnerabilities.

I. Scope


All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to and use of Company Information Assets, are covered by this standard and must comply with associated guidelines and procedures.

Information assets are defined in the Sample Asset Identification and Classification Policy.

Risk refers to the likelihood of loss, damage, or injury to information assets. Risk is present if a threat can exploit an actual vulnerability to adversely impact a sensitive information asset.

Sensitive information refers to information that is classified as Restricted or Confidential. Refer to the Sample Information Classification Standard for confidentiality classification categories.

Threats are the intentional or accidental actions, activities or events that can adversely impact Company information assets, as well as the sources, such as the individuals, groups, or organizations, of these events and activities.

Vulnerabilities refer the weaknesses in information system and procedures including technical, organizational, procedural, administrative, or physical weaknesses.

II. Requirements


A. Assessment

1. Vulnerability assessments of the systems, networks, and applications that store, process, or transmit Company information assets should be conducted on a routine basis according to the confidentiality classification:


Confidentiality ClassificationReview Interval (at a minimum)
PublicAnnually
Internal Use OnlyAnnually
ConfidentialSemi-annually
RestrictedQuarterly


2. Vulnerability assessments of networks must cover, at a minimum, the following areas:


  • Probing of service ports to identify unauthorized services


  • Testing for known vulnerabilities for authorized service ports



3. Vulnerability assessments of servers must cover, at a minimum, the following areas:


  • Review of user and system accounts to ensure identification and authentication controls and requirements conform to the Sample Access Control Standard.


  • Review of installed applications and running services to ensure conformance to Company-approved configurations and identify unauthorized applications and services.


  • Analysis of auditing configurations to ensure that auditing is enabled and security events are logged and processed in accordance with the Sample Auditing Standard.




4. Vulnerability assessments of applications must cover, at a minimum, the following areas:



  • Analysis of applications that store, process, and/or transmit sensitive Company information to determine conformance to the Sample Access Control Standard.


  • Testing for known vulnerabilities including but not limited to backend compromises, backdoors, logic error handling, buffer overflows, ciphers, scripting, and variable checking.


  • Testing to determine if applications respond appropriately to invalid or corrupt input.


5. Vulnerability assessments shall be conducted on information systems after significant changes to production IT environments.


6. Vulnerability assessments shall be conducted on information systems scheduled for deployment within production environments. Identified vulnerabilities must be mitigated prior to deployment.


7. Vulnerability assessments shall be performed, in accordance with the Sample Physical Access Standard on the physical access controls for Company facilities and areas that serve as the physical location for servers and networks that store, process, and transmit "Confidential" or "Restricted" information.


B. Prioritization

1. The findings from the vulnerability assessments should be rated and prioritized according to the risk and potential impact to Company information assets if exploited.
Vulnerability ratings include:


Vulnerability RatingDescriptionPotential Impact
High-riskVulnerabilities that can be exploited by threats and pose an immediate danger to the security of a system, network, or application.Severe to Catastrophic
Medium-riskVulnerabilities could contribute to an eventual exploitation or undesired event.Limited to Moderate
Low-riskVulnerabilities that are not likely to be exploited by threats to the network and connected systems at the time, but should be noted.None to Low


III. Responsibilities


The Chief Information Security Officer (CISO) approves the Vulnerability Assessment Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Vulnerability Assessment Standard.

Company management is responsible for ensuring that the Vulnerability Assessment Standard is properly communicated and understood within its respective organizational units. Company management also is responsible for planning vulnerability assessment activities.

Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for defining process and procedures that are consistent with the Vulnerability Assessment Standard and associated guidelines; ensuring vulnerability assessments are performed; and participating in the planning and closing phases of vulnerability assessments.

Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information assets; participating in vulnerability assessments; assisting with prioritizing assessed vulnerabilities; and notifying appropriate Company personnel of identified and assessed vulnerabilities on information systems for which they are responsible.

Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for reporting suspected or actual vulnerabilities to <Specify Contact> in a timely manner.

IV. Enforcement and Exception Handling


Failure to comply with the Vulnerability Assessment Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.

Requests for exceptions to the Vulnerability Assessment Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Vulnerability Assessment Standard.

V. Review and Revision


The Vulnerability Assessment Standard will be reviewed and revised in accordance with the Sample Information Security Program Charter.

Approved: _______________________________________________________

Signature


<Insert Name>


Chief Information Security Officer