web analytics

Archive for the ‘Policy’ Category

Security Vulnerability Assessment Process and Policy

Overview:
In order to maintain high security standards, identify potential vulnerabilities and evaluate the effectiveness of various security controls that were implemented within the infrastructure, it is crucial to perform periodic security assessments.

Goal:
This procedure defines the controls and steps that are required for identifying security vulnerabilities and ensuring reasonable level of security for the infrastructure and application levels.

Process:

External Facing:

  1. Perform automated external application level scans on a daily basis for website and application. (e.g. McAfee Secure, Acunetix).
  2. Perform automated external network level scans on a weekly basis (e.g. McAfee Secure)
  3. Perform in-house, half automated scans with a vulnerability assessment tool (e.g. Qualys)
  4. Execute a dedicated application level and network penetration test by a professional third party.
    This should be executed twice a year or on every major application release.

Internal:

  1. Discovery: run NMAP scan on all VLANs to identify all the devices and create an asset inventory that outlines devices and services. [weekly / monthly]
  2. Network and Infra vulnerabilities: Run a weekly scan with NESSUS or similar tool to identify infrastructure gap and non hardened devices.
  3. Purchase and run vulnerability scanner (such as Qualys or NetIQ) – every week.
  4. Patch Management:
    • Install Microsoft WSUS server to maintain security patches for Windows infrastructure.
    • Install Linux YUM server to maintain security patches for RedHat infrastructure.
    • Generate reports on weekly basis to find vulnerable systems.
  5. Penetration test: run an annual internal pen-test to identify internal gaps with orientation to threats from within the organization.

Implement a Production Change Management policy that includes a hardening and implementation clearance process for new devices (e.g. addition of new network device, operating system, web server, DB server, etc).