Purpose
The purpose of the (District/Organization) Vulnerability Management Policy is to establish the rules for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them.
Audience
The (District/Organization) Vulnerability Management Policy applies to individuals who are responsible for Information Resource management.
Policy
Endpoint Protection (Anti-Virus & Malware)
- All (District/Organization) owned and/or managed Information Resources must use the (District/Organization) IT management approved endpoint protection software and configuration.
- (District/Organization) owned workstations and laptops must use (District/Organization) IT management approved endpoint protection software and configuration, prior to any connection to a (District/Organization) Information Resource.
- The endpoint protection software must not be altered, bypassed, or disabled.
- Each email gateway must utilize (District/Organization) IT management approved email virus protection software and must adhere to the (District/Organization) rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
- Controls to prevent or detect the use of known or suspected malicious websites must be implemented.
- All files received over networks or from any external storage device must be scanned for malware before use.
- Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to (District/Organization) IT Support.
Logging & Alerting
- (District/Organization) Logging Standard and sent to a central log management solution.
- (District/Organization) will use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modification.
Patch Management
- The (District/Organization) IT team maintains overall responsibility for patch management implementation, operations, and procedures.
- All Information Resources must be scanned on a regular basis to identify missing updates.
- All missing software updates must be evaluated according to the risk they pose to (District/Organization).
- Missing software updates that pose an unacceptable risk to (District/Organization) Information Resources must be implemented within a time period that is commensurate with the risk as determined by the (District/Organization) Patch and Vulnerability Standard.
- Software updates and configuration changes applied to Information Resources must be tested prior to widespread implementation and must be implemented in accordance with the (District/Organization) Change Control Policy.
- Verification of successful software update deployment will be conducted within a reasonable time period as defined in the (District/Organization) Patch and Vulnerability Standard.
Penetration Testing
- Penetration testing of the internal network, external network, and hosted applications must be conducted at least annually or after any significant changes to the environment.
- Any exploitable vulnerabilities found during a penetration test will be corrected and re-tested to verify the vulnerability was corrected.
Vulnerability Scanning
- Vulnerability scans of the internal and external network must be conducted at least quarterly or after any significant change to the network.
- Failed vulnerability scan results rated at Critical or High will be remediated and re-scanned until all Critical and High risks are resolved.
- Any evidence of a compromised or exploited Information Resource found during vulnerability scanning must be reported to the (District/Organization) Information Security Officer and IT support.
- Upon identification of new vulnerability issues, configuration standards will be updated accordingly.
Definitions
See Appendix A: Definitions
References
- ISO 27002: 12, 18
- NIST CSF: PR.IP, PR.PT, DE.AE, DE.CM, RS.MI
- (District/Organization) Incident Management Policy
Waivers
Waivers from certain policy provisions may be sought following the (District/Organization) Waiver Process.
Enforcement
Personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, and related civil or criminal penalties.
Any vendor, consultant, or contractor found to have violated this policy may be subject to sanctions up to and including removal of access rights, termination of contract(s), and related civil or criminal penalties.