Loading...
 
Page actions
Print

Vulnerability Identification

Policy Reference


Category Monitoring and Reporting
Approval Date  01-29-2010
Scope All Personnel

Purpose


To protect the confidentiality, integrity, and availability of all information technology systems, networks, and information by have a timely response to newly discovered security risks.

Policy


  1. ITS will maintain a procedure to identify newly discovered security vulnerabilities and update the protection framework to address them.
  2. Employees must comply with ITS requests to respond to urgent security risks including taking appropriate measures to apply on-demand upgrades, exit from open applications, re-boot computer systems, etc as necessary to support the appropriate mitigation of an urgent risk.
  3. All vulnerabilities to computer resources that could be exploited by a threat will  be identified and brought to the attention of IT  management.
  4. External network connections required to support city business must be evaluated and approved.
    1. Departments must notifiy ITS of the need for an external network connection and identify the related business requirements.
    2. Before granting access to a third party, risks will  be identified and necessary controls must be implemented. The identification of risks will  take into account the following: The type of access and what information the third party is accessing; the value of the information; the controls used by the third party; procedures to deal with security incidents; measures being used to identify third party personnel who have access; and legal requirements.

Compliance

  1. The organization must develop procedures for identifying newly discovered vulnerabilities, such as subscribing to alert services.
    Verify a process has been implemented to continuously identify new vulnerabilities to the system, including from resources outside the organization. Interview security personnel to ensure new vulnerabilities are identified.     § 6.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2
  2. The organization must develop procedures for identifying newly discovered vulnerabilities, such as subscribing to alert services.     § 6.2(b), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2  
  3. A vulnerability analysis, a safeguard analysis, a likelihood assessment, threat identification, and a consequence assessment are all called for.   § 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996