Vulnerability Assessment Procedures

Overview:

The Office of Information Technology directs the establishment of vulnerability management practices in order to proactively prevent the exploitation of vulnerabilities and potential loss of sensitive data. The Office of Information Technology will create and document systematic and accountable practices to control programs and applications, to evaluate installed and new devices and systems for vulnerabilities, and to mitigate other technical and non-technical vulnerabilities. The goals of this effort are to implement stronger protection for the Office of Information Technology  resources, ensure compliance with best practices, and reduce the impact of threats to TSTC and its constituents.

Purpose: 

This document  establishes an outline of the policy and procedures for vulnerability assessments performed on the TSTC network. The purpose of these vulnerability assessments are to manage risks that may impact Texas State Technical College (TSTC) from inadequate security assessment, authorization, and continuous monitoring of information assets through the establishment of an effective security planning program.

Scope

This policy and procedure applies to all information security risk assessments that are conducted annually for TSTC information resources. All users are responsible for adhering to this policy.

The intended audience includes all TSTC personnel involved in performing, assisting with, approving, or making risk management decisions related to information security assessments.

Policy: 

The execution, development and implementation of the vulnerability assessments is the responsibility of the Office of Information Technology for the system/data being assessed. Decisions relating to risk acceptance must be documented and approved by the Information Technology Governance Committee, in consultation with the Information Security Officer. Any high risks which cannot be mitigated to a tolerable level must be reviewed and approved by the OIT Leadership Team, and/or the Information Technology Governance Committee. Vulnerability / remediation assessment results should be kept for a minimum of one year. 

Vulnerability Testing:

TSTC on an annual basis will perform vulnerability scans of the TSTC network and information resources or when significant new vulnerabilities potentially affecting the system/network are identified and reported. 

  1. Monitor and scan for vulnerabilities in the system and hosted applications on an as needed basis and external weekly scans of the network to check for external facing vulnerabilities using an approved scanning platform and when new vulnerabilities potentially affecting the system are identified and reported;
  2. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    1. Enumerating platforms, software flaws, and improper configurations;
    2. Formatting checklists and test procedures; and
    3. Measuring vulnerability impact;
  3. Analyze vulnerability scan reports and results from vulnerability monitoring;
  4. Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk;
    1. Critical Vulnerability - Immediate action is needed to remediate the vulnerability as soon as possible. This may include working with vendors to remediate the vulnerability. Initialization of remediation should be within 24 hours of the initial finding. 
    2. High Vulnerability - Action is needed to remediate the vulnerability. Initialization of the remediation should be within 72 hours of the initial finding. 
    3. Medium Vulnerability - Action may be required to remediate the vulnerability, but the risk associated could be accepted after review of the vulnerability. Initialization of the remediation should be within 7 days of the initial finding. 
    4. Low Vulnerability - Action may be required to remediate the vulnerability, but the risk associated could be accepted after review of the vulnerability. Initialization of the remediation should be within 14 days of the initial finding.
    5. Informational - No action is required. The intended purpose of informational findings is to notate a potential for risk. 
  5. Share information obtained from the vulnerability monitoring process and control assessments with information resource owners to help eliminate similar vulnerabilities in other systems; and
  6. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Legitimate vulnerabilities will be remediated as soon as possible. Vendor response times, patch releases, and broadness of the scope of the vulnerability will be taken into account for the timeframe on remediations of all vulnerabilities. 




 

Definitions and Terms

Information Technology Governance Committee -

 A group of  fully empowered decision makers that meet, at least quarterly, to govern security-policy issues and IT initiatives.This committee will fulfill the requirements of the Texas Cybersecurity Framework as defined in the Title 1 Texas Administrative Code Chapter 202. 

Risk

The possibility of a malicious attack or other threat causing damage or downtime to a computer system

Information Resource

Any computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving email, browsing Websites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), virtual reality platforms, telecommunication resources, network environments, telephones, fax machines, printers and service bureaus and the procedures, virtual reality systems, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information on those resources.

TSTC Network

All TSTC information resources including but not limited to, Routers, Switches, Servers, Firewalls, Packet Shapers, Network intrusion detection/prevention devices, end point devices that are connected to the TSTC internal network. 

Vulnerability

A weakness in the design, implementation, operational, or internal control of a process that could expose a system to adverse threats from threat events. 

Related Standards, policies, procedures

SOS GA 5.1 Information Technology

SOS GA 5.1.4 - Acceptable use of Information Technology Resources

Texas Administrative Code, Title 1, Part 10, Chapter 202, Subchapter C 

NIST 800-53 “Recommended Security Controls for Federal Information Systems and Organizations”

Texas Cybersecurity Framework, 

Payment Card Industry -Data Security Standard (PCI-DSS)

 

Print Article