Information Security Office. Server Vulnerability Management Standards

Similar documents
Information Security Office. Information Security Server Vulnerability Management Standards

Technical Vulnerability and Patch Management Policy Document Number: OIL-IS-POL-TVPM

Table of Contents. Policy Patch Management Version Control

WHO AM I? Been working in IT Security since 1992

01.0 Policy Responsibilities and Oversight

Standard CIP 007 4a Cyber Security Systems Security Management

The CISO is the owner of the vulnerability management process. This person designs the process and ensures is implemented as designed.

Threat and Vulnerability Assessment Tool

The Common Controls Framework BY ADOBE

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

BERGRIVIER MUNICIPALITY

Standard CIP Cyber Security Systems Security Management

Critical Cyber Asset Identification Security Management Controls

Standard CIP 007 3a Cyber Security Systems Security Management

CIP Cyber Security Systems Security Management

Standard Development Timeline

CCISO Blueprint v1. EC-Council

Standard CIP Cyber Security Systems Security Management

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

SECURITY & PRIVACY DOCUMENTATION

Information Security Policy

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

A company built on security

Subject: University Information Technology Resource Security Policy: OUTDATED

AUTHORITY FOR ELECTRICITY REGULATION

Server Hardening Title Author Contributors Date Reviewed By Document Version

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 January 23, 2015

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Information Technology General Control Review

Virginia State University Policies Manual. Title: Change/Configuration Management Policy: 6810 A. Purpose

Windows NT 4.0 and Windows 2000 Service Pack and Hotfix Deployment Best Practices

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Information Technology Branch Organization of Cyber Security Technical Standard

SFC strengthens internet trading regulatory controls

Management s Response to the Auditor General s Review of Management and Oversight of the Integrated Business Management System (IBMS)

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

ECCouncil EC-Council Certified CISO (CCISO) Download Full Version :

Cyber Security Program

ISO27001 Preparing your business with Snare

MIS Week 9 Host Hardening

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Lakeshore Technical College Official Policy

Information Security Policy

Apex Information Security Policy

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Standard CIP Cyber Security Critical Cyber Asset Identification

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Information Technology Procedure IT 3.4 IT Configuration Management

Service Level Agreement Research Computing Environment and Managed Server Hosting

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Department of Public Health O F S A N F R A N C I S C O

External Supplier Control Obligations. Cyber Security

TRACKVIA SECURITY OVERVIEW

Security of Information Technology Resources IT-12

ADIENT VENDOR SECURITY STANDARD

Data Backup and Contingency Planning Procedure

Standard: Vulnerability Management & Standard

Server Security Procedure

UBC - Advanced Research Computing Version 0.9 REDCap Terms of Use

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Canada Life Cyber Security Statement 2018

Audit Logging and Monitoring Procedure Document Number: OIL-IS-PRO-ALM

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Third Party Security Review Process

Standard for Security of Information Technology Resources

Web Hosting: Mason Home Page Server (Jiju) Service Level Agreement 2012

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Manchester Metropolitan University Information Security Strategy

TEL2813/IS2820 Security Management

Standard Development Timeline

McAfee Corporate Products End of Life Policy

Checklist: Credit Union Information Security and Privacy Policies

Business Continuity and Disaster Recovery

Clearswift Managed Security Service for

NYDFS Cybersecurity Regulations

IBM Security Intelligence on Cloud

Security Standards for Electric Market Participants

CS 356 Operating System Security. Fall 2013

IT CONTINUITY, BACKUP AND RECOVERY POLICY

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

DETAILED POLICY STATEMENT

Unofficial Comment Form Project Modifications to CIP Standards Requirements for Transient Cyber Assets CIP-003-7(i)

REPORT 2015/149 INTERNAL AUDIT DIVISION

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

locuz.com SOC Services

CIP Cyber Security Recovery Plans for BES Cyber Systems

Standard CIP Cyber Security Critical Cyber Asset Identification

Policy. London School of Economics & Political Science. Patch Management. Jethro Perkins IMT. Information Security Manager.

Data Security and Privacy Principles IBM Cloud Services

Juniper Vendor Security Requirements

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Installing McAfee VirusScan For Windows 95/98 Kyler Kwock, Wilbur Wong Revised by Therese Nakadomari

INFORMATION TECHNOLOGY NETWORK ADMINISTRATOR ANALYST Series Specification Information Technology Network Administrator Analyst II

CIP Cyber Security Security Management Controls. A. Introduction

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

CIP Cyber Security Configuration Change Management and Vulnerability AssessmentsManagement

Transcription:

Information Security Office Server Vulnerability Management Standards

Revision History Revision Date Revised By Summary of Revisions Section(s) / Page(s) Revised 6/1/2013 S. Gucwa Initial Release All 4/15/2015 M. DiGrazia Updated Scheduling & Delivery Updated Exception Process Page 5 Approvals Review Date Reviewed By Name/Title Action (Reviewed or Approved) 6/1/2013 RMAC Risk Management Advisory Council Approved 6/1/2013 CISO Jason Pufahl, CISO Approved 4/16/2015 CISO Jason Pufahl, CISO Approved 1 P age

Table of Contents Revision History... 1 Approvals... 1 Purpose... 3 Definitions... 3 Scope... 3 Introduction... 3 Generic Best Practices... 4 a. Use a change control process.... 4 b. Read all related documentation.... 4 c. Testing... 4 d. Have a back- out plan, a working backup, and scheduled production downtime... 4 e. Currency... 5 Scheduling and Delivery... 5 Exceptions... 5 Responsibilities and practices of the Information Security Office (ISO)... 5 Vulnerability Response Process and Responsibilities... 6 2 P age

Purpose The purpose of the Server Vulnerability Management Standards is to establish the expectations and guidelines for applying service packs, hotfixes, and security patches (referred to generally as security patches throughout this document). In the interest of reducing the University s vulnerability exposure, the implementation of recommended configuration changes is also included within the scope of this document. Definitions Security patch Code that will update the current version of a script or software, often used to fix a bug, update security, or add a new feature or new functionality (includes service packs, hotfixes, etc.). Severity This is the level of importance of the security patch as defined by the vendor. Priority This is the level of importance of the security patch as defined by UConn. This includes a timeframe for the expected installation of the security patch. Data - Information collected, stored, transferred, or reported for any purpose in digital format. Data can include: financial transactions, lists, identifying information about people, projects or processes, and information in the form of reports. Because data has value and because it has various sensitivity classifications defined by federal law and state statute, it must be protected. Scope All servers on the University of Connecticut network. Introduction Security patches are updates to products to resolve a known issue or provide a workaround. Service packs update systems to the most current code base. Being on the current code base is important because that's where the operating system support focuses on fixing problems. Individual hotfixes and security patches should be adopted on a case- by- case, "as- needed" basis. The majority of security updates released are for client side (often browser) issues. They may or may not be relevant to a server installation. Evaluate the update, assess the risk of applying or not, and apply if appropriate. The basic rules are: The risk of implementing the service pack, hotfix, or security patch should ALWAYS be LESS than the risk of not implementing it. And, You should never be worse off by implementing a security patch. If you are unsure, then take steps to ensure that there is no doubt before moving changes into production. 3 P age

Generic Best Practices The items listed below are best practices that should be performed across all updates. a. Use a change control process. A good change control procedure has an identified owner, a path for customer input, an audit trail for any changes, a clear announcement and review period, testing procedures, and a well- understood back- out plan. Change control will manage the process from start to finish. Before applying any security patch, all relevant documentation should be read and peer reviewed. The peer review process is critical as it mitigates the risk of a single person missing critical and relevant points when evaluating the update. b. Read all related documentation. Reading all associated documentation is the first step in assessing whether the update is relevant, and will resolve an existing issue; its adoption won't cause other issues resulting in a compromise of the production system; if there are dependencies relating to the update, (i.e. certain features being enabled or disabled for the update to be effective); or if potential issues may arise from the sequencing of an update. Specific instructions may state or recommend a sequence of events or updates to occur before the security patch is applied. Documentation released with the updates is usually in the form of web pages, attached Word documents and README.TXT files. Print these and attach to change control procedures as supporting documentation. c. Testing Testing, as appropriate, allows for "test driving" and eventual signing off of the update. Service packs and hotfixes must be tested on a representative non- production environment for critical or most impactful changes prior to those changes being deployed to production. If all tests in the lab environment are successful, start deploying on non- critical servers first, then move to the primary servers once the service pack has been in production for 10-14 days. If the update was tested by another service group at the University, and the testing parameters map adequately to the patch or service pack to be applied, assessing test results and deciding in favor of implementing the change based on tests performed by another admin or service team is acceptable. d. Have a back- out plan, a working backup, and scheduled production downtime A back- out plan ensures the system(s) and University can return to their original state prior to a failed implementation. It is important that these procedures are clear, and that contingency management has tested them, since a faulty implementation can make it necessary to activate contingency options. The University may need to exercise the back- out plan in the event of the update not having an uninstall process or the uninstall process fails. The back- out plan can be as simple as restoring from tape or may involve many lengthy manual procedures. As part of your back- out plan, it is recommended that you have a backup of your system. When possible, security patches must be installed such that they can be uninstalled. For the Windows environment, service packs have historically allowed for uninstalling so verify there is enough free hard disk space to create the uninstall folder. 4 P age

e. Currency Schedule periodic upgrades as part of standard operational maintenance and always be as current as possible with service packs / patch cycles. Scheduling and Delivery The application of security patches is scheduled to limit interference with users. The required deployment schedule for security patches is as follows: Emergency Security Patch (ESP) 48 Hours 1- High 30 days or less. 2- Medium Based on impact analysis 3- Low Based on impact analysis The application of security patches for 3rd party vendor managed servers is dependent on vender SLA s. If the vender cannot meet the University standards as laid out in this document, compensating controls should be considered. Exceptions If the application of security patches is not feasible, mitigating controls must be identified and implemented. The mitigating control(s) selected should be in proportion to the risk. If mitigating controls cannot be implemented, then an exception must be requested. These risk exceptions must be submitted to the CISO for review and approval. The Exception Request/Issue or Vulnerability Reporting form is available on the Risk Management web site (http://itriskmanagement.uconn.edu). Responsibilities and practices of the Information Security Office (ISO) The Information Security Office conducts scans of the University network resources to identify vulnerabilities. ISO may maintain logs of these vulnerabilities to identify patterns of behavior of concern. ISO will identify appropriate scans for any organizational subset of the campus requiring more specific scans. ISO may provide server administrators with appropriate information to recognize such scans from their logs. Only ISO or units approved by ISO may conduct such scans. 5 P age

Vulnerability Response Process and Responsibilities When security vulnerability scans are completed, if ISO identifies vulnerabilities on a server or other resource connected to the network, the individual or 3rd party managing that resource will be notified of the apparent vulnerabilities so they can act accordingly to remediate them in the minimum time possible. Once notified of the vulnerable resource, the individual or 3rd party managing that resource should follow the schedule presented in the Scheduling and Delivery section to close the vulnerability. If an exception is required; this should be completed and submitted to RMAC (see Exceptions section) within the remediation timeframe. If the vulnerability is not remediated in the recommended or agreed upon timeframe and no exception has been granted, ISO staff will take necessary actions to safeguard the University network, including disconnecting the resource from the network to protect other computers and the integrity of the University computing environment. 6 P age

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback