IT Security Standard: Vulnerability Assessment and Management

Brief Description:

Campus requirements for scanning for and remediating vulnerabilities on networked computing devices

Related Policy:

Introduction:

Vulnerability scanning is a tool to help the university identify vulnerabilities on its networked computing devices. The results of the vulnerability scans help inform management and computing device administrators of known and potential vulnerabilities on so those vulnerabilities can be addressed and managed. Vulnerability scanning can be used at a broader level to ensure that campus information security practices are working correctly and are effective.

Cal Poly’s IT Security Standard: Computing Devices includes requirements addressing scanning computing devices for vulnerabilities and remediating any found vulnerabilities in a timely manner. The purpose of this standard is to clarify the campus requirements and expectations regarding vulnerability scans and remediation of discovered vulnerabilities to ensure that compliance is met.

Scope:

This standard applies to employees, contractors, vendors and agents with access to campus information systems. It also applies to remote access connections used to do work on behalf of Cal Poly. This standard applies to all university-owned devices connected to the network and may apply to personally-owned devices if used exclusively or extensively to conduct university related business.

Standard:

Approved Scanning Tool

While there are numerous, tools that can provide insight into the vulnerabilities on a system, not all scanning tools have the same set of features. Cal Poly’s Information Security Officer is responsible for approving and overseeing campus use of an enterprise scanning and assessment tool. Use of any other vulnerability scanner must be justified in writing and approved by the Information Security Officer.

Any approved scanning tool must be capable of scanning information systems from a central location and be able to provide remediation suggestions. It must also be able to associate a severity value to each vulnerability discovered based on the relative impact of the vulnerability to the affected unit.

Periodic Vulnerability Assessment – Existing Devices

Units are required to conduct a vulnerability assessment of all of their networked computing devices on a periodic basis.

At a minimum, units shall run authenticated scans from the enterprise class scanning tool on a quarterly basis against all networked computing devices within their control.

Monthly scans are required for the following networking computing devices:

Any university computing devices that are known to contain Level 1 data
Any university computing devices that must meet specific regulatory requirements, e.g., PCI, HIPPA, etc.
All file-system images or virtual machine templates used as base images for building and deploying new workstations or servers
All devices that are used as servers or used for data storage
Any network infrastructure equipment

The approved enterprise vulnerability scanning tool must be used to conduct the scans unless otherwise authorized (see Approved Scanning Tool).

Scans shall be performed during hours appropriate to the business needs of the entity and to minimize disruption to normal business functions.

Data from scans are to be treated as Internal-Confidential, i.e., Level 2, consistent with Cal Poly’s Information Classification and Handling Standard.

The assessment will scan networked computing devices from inside the perimeter of Cal Poly’s network.

Computing device or system administrators must not make any temporary changes to networked computing devices for the sole purpose of passing an assessment. Any attempts to tamper with results will be referred to management for potential disciplinary action.

No devices connected to the network shall be specifically configured to block vulnerability scans from authorized scanning engines.

Vulnerabilities on networked computing devices shall be mitigated and eliminated through proper analysis and repair methodologies.

New Information System Vulnerability Assessment

No new information system shall be considered in production until a vulnerability assessment has been conducted and vulnerabilities addressed.

Units will conduct vulnerability assessments:

at the completion of the operating system installation and patching phase
at the completion of the installation of any vendor provided or in-house developed application
just prior to moving the information system into production
at the completion of an image or template designed for deployment of multiple devices
for vendor provided information systems, prior to user acceptance testing and again before moving into production
for all new network infrastructure equipment, during the burn in phase and prior to moving to production

At the completion of each of the above vulnerability assessments, all discovered vulnerabilities must be documented and remediated. Units must keep a record of all assessments and be able to produce copies if requested by management, the Information Security Officer or an external auditor.

Limitation of Scanning

Units shall not conduct intrusive scans of systems that are not under their direct authority:

Units are responsible for ensuring that vendor owned equipment is free of vulnerabilities that can harm Cal Poly information systems. The vendor must be informed and permitted to have staff on hand at the time of scans. If a vendor does not provide staff, scans must be conducted to determine the security status of vendor owned devices residing on Cal Poly’s network.

Vendors are not permitted to conduct scans of university information systems without the express permission of Cal Poly’s Information Security Office and the presence of appropriate university staff designated by the affected unit.

At no time shall a computing device/system administrator ever conduct a scan on the public network or Internet unless such activity is authorized based on a contractual relationship. Authorization must be in writing and approved by the Information Security Officer and Vice Provost/Chief Information Officer.

Networked computing devices that appear to be causing disruptive behavior on the network may be scanned by Information Services using nonintrusive methods to investigate the source of the disruption.

Remediation

At the conclusion of each quarterly assessment, each unit will maintain documentation showing:

All discovered vulnerabilities, the severity, and the affected information system(s).
For each discovered vulnerability, detailed information on how the vulnerability will be remedied or eliminated.

The reports produced by the enterprise vulnerability scanning tool may be used as the above documentation.

As part of the annual information security self-assessment process, units will be required to document vulnerability scanning and remediation efforts based on the above documentation.

Discovered vulnerabilities will be remediated and/or mitigated based on the following rules:

Critical, High and Medium (Levels 4 and 5) vulnerabilities will be fully addressed within 30 calendar days of discovery.
Low (Levels 3 and 2) vulnerabilities will be addressed within 90 calendar days of discovery.

Vulnerabilities are considered remediated when the risk of exploitation has been fully-removed and subsequent scans of the device show the vulnerability no longer exists. Typically this is accomplished by patching the operating system/software applications or by upgrading software.

External Audit

The Information Security Office reserves the right to independently audit each unit at will or at the request of management. These audits will review existing scanning data and verify that vulnerabilities were actually remediated. Any discrepancies will be noted and reported to the Vice Provost/Chief information Officer and the unit’s management and senior management.

Use of Outside Contractors

Units may use outside contractors to complete the required work; however, the contractors must use an enterprise-class assessment tool with the same capabilities as the approved tool.

If contractors are engaged to conduct scans using the Approved Scanning Tool defined herein, approval must be obtained from the Information Security Officer and Vice Provost/Chief Information Officer.

Definitions:

Authenticated Scan - A type of scan that requires appropriate credentials to authenticate to a machine to determine the presence of vulnerability without having to attempt an intrusive scan

Information Systems - Software, hardware and interface components that work together to perform a set of business functions

Internal-Confidential - The requirement to maintain certain information accessible to only those authorized to access it and those with a need to know. For this purpose, those authorized would only be those within Cal Poly with a designated need to know.

Intrusive Scan - A type of scan that attempts to determine the presence of vulnerability by actively executing a known exploit

Networked Computing Device - Any computing device connected to the network that provides the means to access, process and store information

Network Infrastructure Equipment - Equipment which provides information transport, e.g., routers, switches, firewalls, bridging equipment etc.; does not include network servers and workstations unless such devices serve the specific function of providing transport

System Administrator/Computing Device Administrator - The individual or individuals responsible for the overall implementation and maintenance of a networked computing device

Threat - Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service, or something or someone that can intentionally or accidentally exploit a vulnerability

Unit - A defined organizational unit within the university that is responsible for securing information asset, e.g., division, college, department, auxiliary, center or institute, and so on

Vulnerability - A security exposure in an operating system or other system software or application software component, including but not limited to: missing Operating System and application Patches, inappropriately installed or active applications and services, software flaws and exploits, mis-configurations in systems, etc.

Responsibilities:

Unit Management, including Information Security Coordinators and Unit IT Supervisors

Supports and enforces this standard as indicated, approves and submits annual risk self-assessment
Requests internal audits, procures and/or assigns the resources necessary to implement the standard
Supervises and coordinates vulnerability assessments and remediation processes
Determines who maintains documentation
Notifies device users and supports staff involve in implementing the processes
Requests exceptions

System Administrator/Computing Device Administrator

Supports and complies with this policy as indicated
Implements best practices to comply with assessment results or remediate vulnerabilities
Ensures any computing devices in their area are being scanned according to this standard
Remediates vulnerabilities within specified timeframes unless a written exception or extension has been requested and approved
Actively monitors for available patches to remediate vulnerabilities for which an exception or extension has been granted
Produces required documentation using the enterprise scanning tool
Notifies device users of scheduled scans and remediation tasks that may affect the user or require additional work from the user
Escalates to management

Information Security Office

Approves and oversees campus use of an enterprise class vulnerability scanner to conduct scans
Reviews and approves use of alternate scanning tools as needed
Conducts annual compliance reviews and risk assessments
Advises units on campus vulnerability assessment and remediation processes
May audit units and monitor scanning activity to verify compliance
Notifies senior management of units that are out of compliance
In consultation with the Information Security Management Team, approves or denies requests for exceptions
Authorizes removal of devices from the network

Non-Compliance and Exceptions:

Any unit needing an exception to this standard must follow the IT / Information Security Exception Request Process. Examples of possible exceptions include but are not limited to:

If a critical (Level 4 or 5) vulnerability cannot be remediated but there are compensating controls in place that reduce or eliminate the risk
If a critical (Level 4 or 5) vulnerability cannot be remediated or controlled, e.g. no patch is currently available or the remediation could affect service availability or service contracts, etc.
If a device should not or cannot be scanned at the frequency required by this standard

Once an exception is granted, if a method to eliminate or to reduce the vulnerability becomes available, the vulnerability must be remediated from that point based on the standard.

A device is considered to be non-compliant if one of the following cases is true:

A critical (Level 4 or 5) vulnerability on a computing device is not addressed or has not been remediated in a timely manner as defined in the standard
A computing device is not being scanned in accordance with the frequency defined herein

If a device is found to be non-compliant and the problem is not resolved in the timeframe determined in consultation with the Information Security Office, the device may be removed from the Cal Poly network.

Related Procedures and Resources:

Implementation

Effective Date:	4/1/2013
Review Frequency:	Annual
Responsible Officer:	Vice Provost/Chief Information Officer Information Security Officer

Effective Date:

4/1/2013

Review Frequency:

Annual

Responsible Officer:

Vice Provost/Chief Information Officer

Information Security Officer

Revision History

Date	Action	Pages
3/2013	Public release of final document	All
12/2012	Revised draft released for campus review	All
9/30/2010	Initial draft developed	All

Information Security

Quick References

US CERT Current Activity