Premium Essay

Vulnerability Management Policy

Submitted By
Words 1400
Pages 6
Vulnerability Management Policy
Purpose
The purpose of this policy is to increase the security posture of IHS systems and mitigate threats posed by vulnerabilities within all IHS-owned or leased systems and applications.
Scope
This policy applies to all IHS employees, contractors, vendors and agents with access to any part of IHS networks and systems. This policy applies to remote access connections used to do work from a remote location, including reading or sending email and viewing intranet web resources.
Policy
1. Approved Scanning Tools
1.1 There are numerous, tools that can provide insight into the vulnerabilities on a system. Not all scanning tools have the same set of features. The CSO shall be the sole entity to implement an enterprise …show more content…
3.3 Scans shall be performed during hours appropriate to the business needs of the organization and to minimize disruption to normal business functions.
3.4 Data from scans are to be treated as Internal-Confidential
3.5 The vulnerability scanning tool must have the ability to associate a severity value to each vulnerability discovered based on the relative impact of the vulnerability to the organization.
3.6 IT staff will not make any temporary changes to information systems, for the sole purpose of "passing" an assessment. Any attempts to tamper with results will be referred to IT management for disciplinary action. Vulnerabilities on information systems shall be mitigated and eliminated through proper analysis and repair methodologies.
3.7 No devices connected to the network shall be specifically configured to block vulnerability scans from authorized scanning engines.
3.8 At a minimum, IHS shall run authenticated scans from the enterprise class scanning tools on a quarterly basis against all information assets within their control.
4. New Information System Vulnerability …show more content…
6.1.2 "Medium" level vulnerabilities will be addressed within 45 calendar days of discovery.
6.1.3 "Low” level vulnerabilities will be addressed within 180 calendar days of discovery.
6.1.4 "Informational" vulnerabilities may never be addressed.
7. Remediation/Mitigation of Vulnerabilities
7.1 If a system has a vulnerability that cannot be remediated in the recommended manner, IHS shall perform a Risk Assessment, implement appropriate security controls to mitigate identified risks, and provide a copy of the signed Risk Assessment to the CSO.
8. Annual Report
8.1 Engineering should generate an annual report of all outstanding vulnerabilities. This report should be submitted to the CSO for review.
9. External Audit
9.1 The CSO reserves the right to order an audit of any network device at will. These audits will review existing scanning data and verify that vulnerabilities were actually remediated. Any discrepancies will be noted and reported to the CSO.
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Definitions
Term

Similar Documents

Premium Essay

Is4550 Lab 9

...Risk-Threat-Vulnerability IT Security Policy Definition Unauthorized access from Public Internet Acceptable Us Policy User Destroys Data in application and deletes all files Asset Identification and Classification Policy Hacker penetrates you IT infrastructure and gains access to your internal network Vulnerability Assessment and Management Policy Intra-office employee romance gone bad Security Awareness Training Policy Fire destroys primary data center Threat Assessment and Management policy communication circuit outages Asset Protection Policy Workstation OS has a known software vulnerability Vulnerability Assessment and Management Policy Unauthorized access to organization owned Workstations Asset Management Policy Loss of production data Security Awareness Training Policy Denial of service attack on organization e-mail server Vulnerability Assessment and Management Policy Remote communications from home office Asset Protection Policy LAN server OS has a known software vulnerability Vulnerability Assessment and Management Policy User downloads an unknown e-mail attachment Security Awareness Training Policy Workstation browser has software vulnerability Vulnerability Assessment and Management Policy Service provider has a major network outage Asset Protection Policy Weak ingress/egress traffic filtering degrades performance Vulnerability Assessment and Management Policy User inserts CDs and USB hard drives with personal photos...

Words: 616 - Pages: 3

Premium Essay

Is4550 Week 5 Lab

...Audit an Existing IT Security Policy Framework Definition Learning Objectives and Outcomes Upon completing this lab, students will be able to complete the following tasks: * Identify risks, threats, and vulnerabilities in the 7 domains of a typical IT infrastructure * Review existing IT security policies as part of a policy framework definition * Align IT security policies throughout the 7 domains of a typical IT infrastructure as part of a layered security strategy * Identify gaps in the IT security policy framework definition * Recommend other IT security policies that can help mitigate all known risks, threats, and vulnerabilities throughout the 7 domains of a typical IT infrastructure Week 5 Lab Part 1: Assessment Worksheet (PART A) Sample IT Security Policy Framework Definition Overview Given the following IT security policy framework definition, specify which policy probably can cover the identified risk, threat, or vulnerability. If there is none, then identify that as a gap. Insert your recommendation for an IT security policy that can eliminate the gap. Risk – Threat – Vulnerability | IT Security Policy Definition | Unauthorized access from pubic Internet | Acceptable use policy | User destroys data in application and deletes all files | Backup Recovery Policy | Hacker penetrates your IT infrastructure and gains access to your internal network | Threat Assessment & Management Policy | Intra-office employee romance...

Words: 1625 - Pages: 7

Premium Essay

Seurity Assessment Report

...Information Security Policy 5 2. {Security Issue #2} 5 3. {Security Issue #3} 5 4. {Security Issue #4} 5 5. {Security Issue #5} 5 6. {Security Issue #6} 6 7. {Security Issue #7} 6 8. {Security Issue #8} 6 9. {Security Issue #9} 6 10. {Security Issue #10} 6 Introduction 7 Scope 7 Project Scope 7 In Scope 7 Out of Scope 7 Site Activities Schedule 7 First Day 7 Second Day 7 Third Day 7 Background Information 8 {CLIENT ORGANIZATION} 8 Asset Identification 9 Assets of the {CLIENT ORGANIZATION} 9 Threat Assessment 9 Threats to the {CLIENT ORGANIZATION} 9 Laws, Regulations and Policy 10 Federal Law and Regulation 10 {CLIENT ORGANIZATION} Policy 10 Vulnerabilities 10 The {CLIENT ORGANIZATION} has no information security policy 10 {State the Vulnerability} 10 Personnel 11 Management 11 Operations 11 Development 11 Vulnerabilities 11 There is no information security officer 11 {State the Vulnerability} 11 Network Security 12 Vulnerabilities 12 The {CLIENT ORGANIZATION} systems are not protected by a network firewall 12 {State the Vulnerability} 13 System Security 13 Vulnerabilities 13 Users can install unsafe software 13 {State the Vulnerability} 14 Application Security 14 Vulnerabilities 14 Sensitive information within the database is not encrypted 14 {State the Vulnerability} 14 Operational Security 15 Vulnerabilities 15 There is no standard...

Words: 3242 - Pages: 13

Premium Essay

Vulnerability Mangement

...QUALYSGUARD® ROLLOUT GUIDE July 12, 2012 Copyright 2011-2012 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners.  Qualys, Inc. 1600 Bridge Parkway Redwood Shores, CA 94065 1 (650) 801 6100 Preface Chapter 1 Introduction Operationalizing Security and Policy Compliance..................................................... 10 QualysGuard Best Practices ........................................................................................... 11 Chapter 2 Rollout First Steps First Login......................................................................................................................... Complete the User Registration.......................................................................... Your Home Page................................................................................................... View Host Assets .................................................................................................. Add Hosts .............................................................................................................. Remove IPs from the Subscription..................................................................... Add Virtual Hosts ................................................................................................ Check Network Access to Scanners .....................................

Words: 38236 - Pages: 153

Premium Essay

Risk Management

...Applying Risk Management Consulting Ricardo Jackson CMGT/430 April 28, 2015 Dr. Leandro Worrell Applying Risk Management Consulting According to (Whitman & Mattord, 2010) Risk Management is the process of discovering and assessing the risks to an organization’s operations and determining how those risks can be controlled or mitigated. Risk management tackles part of a law-abiding control program that organizations implement to monitor the business and make informed decisions. Most corporate leadership takes on this task while bridging together other departments within the organization requirements. While governance programs differ broadly, all programs require a well-thought-out security risk management component to arrange and mitigate security risks. The management of information systems relies heavily on risk management therefore certain fundamentals must be applied within an organization risk management plan. These principles include identification, assessment, and decision support/implementation control. Identification The risk identification process begins with the identification of information assets, including people, procedures, data, software, hardware, and networking elements. Risk Assessment Identify and prioritize risks to the business Assess Control. Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment. Risk assessment assigns a risk rating or score to each specific vulnerability. This enables...

Words: 969 - Pages: 4

Free Essay

Security Assessment and Recommendations for Aircraft Solutions

...Security Assessment and Recommendations for Aircraft Solutions Principles of Information Security and Privacy Keller Submitted: December 11, 2013 Executive Summary The purpose of this report is to investigate the vulnerabilities of Aircraft Solutions (AS) in the areas of hardware and policy. Furthermore, it provides recommended solutions to the security weaknesses mentioned in Phase 1. Aircraft Solutions is a well known leader in the design and production of component products and services for companies ranging from commercial industry to the aerospace industry. In addition, Aircraft Solutions maintains a large capacity plant filled with an extensive variety of equipment, which is mostly automated alongside skilled specialists in a range of fields to ensure they meet their customers’ needs. The weaknesses that are being addressed are hardware and policy. Company Overview Aircraft Solutions is a leader in the planning and production of component products and services for companies in the electronics, commercial, defense, and aerospace industry. The headquarters of Aircraft Solutions is located in San Diego, California. The goal of Aircraft Solutions is to use machined products and related services to supply customer success, and to achieve cost, quality, and schedule requisites. They have a Defense Division (DD) of Aircraft Solutions located in Orange County, California and a Commercial Division (CD) located in San Diego County, California. Aircraft...

Words: 1560 - Pages: 7

Premium Essay

Risk Management

...Public trust is a major concern when it comes to managing risk policies. The base of risk management is necessary for the company to grow and move into its full potential. Weak policies can lead to vulnerabilities in our infrastructure and network allowing potential threats to the integrity of the company. Credit card information, confidential information, wireless connections and other assets can all be taken without proper management. What does risk management do for us and how does it address future security breaches and more importantly how does it reduce the risks. Risk management is a decision which determines which types of vulnerabilities the company can be susceptible to, what kind of impact different vulnerabilities have, and lastly an action plan to control the impact of how many assets get affected. It also involves identifying what kind of vulnerabilities there are and where they are within the company. The risk is high in our establishment due to us housing credit card information and personal data. A risk assessment to determine what is within our environment should be completed as it will give us a broader idea of what to expect if a system gets compromised. A documented process involving senior staff and management should be considered moving forward. A risk management policy as well as a dedicated team designed for risk management should also be implemented. Following this general infrastructure will help in organizing what assets we have and who would handle...

Words: 511 - Pages: 3

Premium Essay

Risk Management and Problem Management of a Compromised Unix Operating System

...Running head: RISK MANAGEMENT AND PROBLEM MANAGEMENT RELATION The effectiveness of the relationship between risk management and problem management of a compromised UNIX operating system CSMN 655 Computer Security, Software Assurance, Hardware Assurance, and Security Management Abstract Risk management is an ongoing, continuous process whose purpose is to identify and assess program risks and opportunities with sufficient lead-time to implement timely strategies to ensure program success. The entire risk management process balances the operational and economic costs of protective measures and contributes to mission capability by protecting the systems and the data that support the organizational mission from both deliberate and unintentional compromise. Computer security problem, or incident, management is an administrative function of managing and protecting computer assets, networks and information systems. These systems continue to become more critical to the personal and economic welfare of our society. Organizations must understand their responsibilities to the public good and to the welfare of their members. This responsibility extends to having a management program for reacting to system breaches, if and when they occur. Incident management is a program which defines and implements a process that an organization may adopt to promote its own welfare and the security of the public...

Words: 4103 - Pages: 17

Premium Essay

Terracog Gps Case

...COMMON VULNERABILITIES IN CRITICAL INFRASTRUCTURE CONTROL SYSTEMS Jason Stamp, John Dillinger, and William Young Networked Systems Survivability and Assurance Department Jennifer DePoy Information Operations Red Team & Assessments Department Sandia National Laboratories Albuquerque, NM 87185-0785 22 May 2003 (2nd edition, revised 11 November 2003) Copyright © 2003, Sandia Corporation. All rights reserved. Permission is granted to display, copy, publish, and distribute this document in its entirety, provided that the copies are not used for commercial advantage and that the present copyright notice is included in all copies, so that the recipients of such copies are equally bound to abide by the present conditions. Unlimited release – approved for public release. Sandia National Laboratories report SAND2003-1772C. Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000. ABSTRACT Sandia National Laboratories, as part of its mission to ensure national security, has engaged in vulnerability assessments for IT systems with the main focus on control and automation systems used in United States critical infrastructures. Over the last few years, diverse customers from the electric power, petroleum, natural gas, and water infrastructure have partnered with us to gain insight into their critical vulnerabilities...

Words: 4326 - Pages: 18

Premium Essay

Risk Management Plan

...(ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. This publication specifically addresses assessment and analysis of security control effectiveness and of organizational security status in accordance with organizational risk tolerance. Security control effectiveness is measured by correctness of implementation and by how adequately the implemented controls meet organizational needs in accordance with current risk tolerance. Organizational security status is determined using metrics established by the organization to best convey the security posture of an organization’s information and information systems, along with organizational resilience given known threat information. This necessitates: • Maintaining situation awareness of all systems across the organization; • Maintaining an understanding of threats and threat activities; • Assessing all security controls; • Collecting, correlating, and analyzing security-related information; • Providing actionable communication of security status across all tiers of the organization; and • Active management of risk by organizational officials. Purpose: The purpose of this guideline is to assist organizations in the development of an ISCM strategy and the implementation of an ISCM program that provides awareness of threats and vulnerabilities, visibility into organizational assets, and the effectiveness of deployed...

Words: 4395 - Pages: 18

Premium Essay

It Audit

...IT AUDIT REPORT FOR Contents Contents 2 Contents 2 1. Introduction 4 1.1 Purpose 4 1.2 Scope 4 2. Background Information 4 3. Assets Identification 5 4. Threat Assesment 5 5. LAWS, REGULATIONS AND POLICY . 5 5.1 Hospital Policy. 5 5.2 Vulnerabilities. 5 6. PERSONNEL 5 6.2 Management. 6 6.3 Operations. 6 6.4 Development 6 6.5 Vulnerabilities. 7 7. Systems and Applications. 7 7.1 Vulnerabilities. 7 8. Information Processing Facilities (Data Centers) 7 8.1 Vulnerabilities 7 9. Systems Development 8 9.1 Vulnerabilities 8 10. Management of IT and Enterprise Architecture 8 11. Client, Server, Telecommunications, Intranets and Extranets 8 11.1 Building Vulnerabilities 8 11.1 Security Perimeter 8 11.1 Server Area 8 12. Summary 8 12.1 Action Plan 8 1. Introduction • At present the Hospital has 250 beds including 40 adult ICU and 8 Pediatric ICU beds. • The Hospital is well equipped with latest technology like 1.5 Tesla MRI, 6 Slice Spiral CT Scan, Digital X-ray, Mammography, Intense Pulse Light (Cosmetic) and Diabetic Foot Care Equipment’s in the year 2007-08, the hospital provided services to 46000 patients. So far the hospital has repaired approximately 2400 cleft lip and cleft palate...

Words: 2618 - Pages: 11

Premium Essay

Risk Control Strategies

...Yates Professor Alfretta Earnest MGMT447-02: Technology Management 31 October 2012 Abstract In this presentation, the processes of risk assessment, risk identification, and risk control strategies will be explained. Examples of some of the risk control strategies that are available for companies are cited along with possible ways to utilize these tools to create a company risk policy. Also included are explanations of control types, how they are used and implemented, and the risk they are intended to minimize. Unit 5 Individual Project: Risk Control Strategies Risk Management is a discipline employed by organizations for the express purpose of minimizing threats to the company’s security assets. Risk management also works to support managers and increase their confidence when making decisions. Security risk plans are used to help management develop coherent and comprehensive strategies for managing risk prevention. An important part of a security risk plan is evaluating the level and type of countermeasures needed to guard against security threats capable of causing security breaches (Stoneburner, Goguen, & Feringa, 2002). The security management process can be described in four steps: I. Identify security risks. II. Develop strategic countermeasure plans. III. Implement strategies. IV. Monitor, evaluate, and maintain appropriate security measures. Areas of Risk Management A threat is defined as a situation where a threat-source...

Words: 1751 - Pages: 8

Premium Essay

Aircraft Solutions (as)

...Automated procedures helps the company in increasing productivity and reducing costs, as well as keeping a high level of credibility in meeting obligations and contracts with its customers and users. It uses the Business Process Management (BPM) scheme to manage its processes. BPM is a universal management methodology based on aligning the organization functions with customers’ requirements to produce the best product that meets the client’s definition according to the company standards. Security Vulnerabilities From studying current company’s configuration, layout, networking facilities, and policies, it is obvious that vulnerabilities do exist in some areas which will be addressed and analyzed. Actions that must be taken to mitigate the risk of any threat are dependent on the area of the weakness or the vulnerability, and the possible attacks that may utilize these vulnerabilities. The AS’s network has many vulnerabilities that can be used by a persistent attacker to gain advantage and launch his or her attack whenever he or she has the chance to do it. Weather Hardware, software, policy rule, or bad configured piece of equipment, it will be equally critical to the system safety. All possible actions should be considered relative to the vulnerability and the level of weakness. The two apparent vulnerable areas...

Words: 846 - Pages: 4

Premium Essay

Title Is Awesome

...IS 471 Policy Development and Security Issues Lab 4 (Due October 22, 2014) Introduction In any company, a security policy helps to mitigate the risks and threats the business encounters. However, unless a company happens to be in the information security industry, the task of identifying, assessing, and categorizing the myriad of risks can be an overwhelming one. Thankfully, a company’s IT infrastructure can be divided in a logical manner to more easily sort the risks. These divisions are the seven IT domains. The purpose of the seven domains of a typical IT infrastructure is to help organize the roles, responsibilities, and accountabilities for risk management and risk mitigation. In this lab, you will identify known risks, threats, and vulnerabilities, and you will determine which domain of a typical IT infrastructure is affected. You will then discuss security policies to address each identified risk and threat within the seven domains of a typical IT infrastructure. You will next determine which appropriate security policy definition will help mitigate the identified risk, threat, or vulnerability. You will organize your results into a framework that can become part of a layered security strategy. Learning Objectives Upon completing this lab, you will be able to: •     Identify risks, threats, and vulnerabilities commonly found in the seven domains of a typical IT infrastructure.      Determine which domain is impacted by the risk, threat, or vulnerability.      Determine...

Words: 1159 - Pages: 5

Premium Essay

Is3110T Lab 2 Assessment Worksheet

...Lab #2 Assessment Worksheet Align Risks, Threats, & Vulnerabilities to COBIT P09 Risk Management Controls 1. a. Unauthorized access from public internet - HIGH b. User destroys data in application and deletes all files - LOW c. Workstation OS has a known software vulnerability – HIGH d. Communication circuit outages - MEDIUM e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers - MEDIUM 2. a. PO9.3 Event Identification – Identify threats with potential negative impact on the enterprise, including business, regulatory, legal, technology, trading partner, human resources and operational aspects. b. PO9.4 Risk Assessment – Assess the likelihood and impact of risks, using qualitative and quantitative methods. c. PO9.5 Risk Response – Develop a response designed to mitigate exposure to each risk – Identify risk strategies such as avoidance, reduction, acceptance – determine associated responsibilities; and consider risk tolerance levels. 3. a. Unauthorized access from public internet - AVAILABILITY b. User destroys data in application and deletes all files - INTEGRITY c. Workstation OS has a known software vulnerability – CONFIDENTIALITY d. Communication circuit outages - AVAILABILITY e. User inserts CD’s and USB hard drives with personal photos, music and videos on organization owned computers - INTEGRITY 4. a. Unauthorized access from public internet...

Words: 934 - Pages: 4