February 2020

Department: Information Security

Document ID:  05.4.0




Proprietary Statement

This document was developed specifically for and by Christopher Newport University.  The concepts and methodologies contained herein are proprietary to Christopher Newport University.  Duplication, reproduction, or disclosure of information in this document without the express written consent of Christopher Newport University is prohibited.

All Trademarks, Registered Trademarks, Service Marks, and brand and product names used in this document are the property of their respective owners.

© Copyright 2020 Christopher Newport University. All rights reserved.

Review and Revision History

Date

Version

Description of Change

(Affected Sections)

Author

February 2020

1.0

Initial Release - All

Wendy L. Corrice

April 20211.0Annual ReviewWendy Corrice





TABLE OF CONTENTS

Introduction: 5

Purpose: 5

Scope: 5

Definitions: 5

Standards Statement 6

Exceptions: 8

References: 8

Review:


Introduction:


Vulnerability scanning is a tool to help Christopher Newport University identify vulnerabilities on its networked computing devices.  The results of the vulnerability scans help inform management and Information Technology Service systems teams of known and potential vulnerabilities so they can be addressed.  Vulnerability scanning can be used at a broader level to ensure that information security procedures are correctly working and effective.

Purpose: 



The purpose of this standard is to document the requirements for vulnerability assessments and scanning in compliance with SEC501 RA-5 Vulnerability Scanning, to increase the security posture of Christopher Newport University and mitigate threats posed by potential vulnerabilities.  

Scope:



This standard applies to systems designated as Sensitive according to CNU’s Data Classification Standard and/or any other systems designated by the Information Security Officer.

Definitions:


  • Authenticated Scan:  A type of scan that requires appropriate credentials to authenticate to a machine to determine the presence of vulnerability without having to attempt an intrusive scan.
  • CVSS:  The Common Vulnerability Scoring System is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
  • Intrusive Scan:  A type of scan that attempts to determine the presence of a vulnerability by actively executing a known exploit.
  • Information System:  Software, hardware and interface components that work together to perform a set of business functions.
  • PCI-DSS: The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes.
  • Penetration Test: A penetration test, colloquially known as a pen test, pentest or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system.
  • Sensitive System:  A system that is defined as sensitive according to the CNU Data Classification Standard contains data protected by federal or state law, regulations or contract.
  • Threat:  Any circumstance or event with the potential to cause harm to an information system in the form of destruction, disclosure, adverse modification of data, and/or denial of service.  Something or someone that can intentionally or accidentally exploit a vulnerability.
  • Vulnerability:
  •   A security exposure in an operating system, system software or application software component.  Vulnerabilities include but are not limited to missing operating system patches, application patches, unauthorized installed applications or services, software flaws, exploits and misconfigurations etc.


Standards Statement


  • Approved Scanning Tool 


Christopher Newport University’s Information Security Officer is responsible for approving and overseeing campus use of an enterprise scanning and assessment tool.  Implementation of additional vulnerability scanners must be justified in writing and approved by the Information Security Officer.  

Any approved scanning tool must be capable of scanning information systems from a central location and provide remediation suggestions.  Information Security Officer (ISO) must also be able to associate a severity value to each vulnerability discovered based on the relative impact of the vulnerability to the affected unit.


  • Limitation of Scanning 


Intrusive scans including those performed by external vendors may not be conducted without the explicit consent of the Chief Information Officer and Information Security Officer.


  • Periodic Vulnerability Assessment


Information Technology Services will conduct vulnerability assessments on ITS systems on a periodic basis.  The assessment will scan information assets from inside the perimeter of the Christopher Newport University firewall.

  1. An enterprise class vulnerability and scanning and assessment tool must be used  to conduct the scans and capable of scanning information systems from a central location and provide remediation suggestions.  
  2. Scans shall be performed during hours appropriate to the business needs of Christopher Newport University and to minimize disruption to normal business functions and at a minimum of every two weeks.
  3. Data from scans are to be treated as sensitive information.
  4. The vulnerability scanning tool must have the ability to associate a severity value to each vulnerability discovered.
  5. Identified vulnerabilities shall be identified and mitigated according to established ITS Standards and Procedures and documented through Change Management Policy. 


  • Remediation and Compliance


Vulnerability remediation will be documented through the change management process and a compliance report summarizing the vulnerabilities and remediation will be created at least every 90 days or more frequently as deemed necessary by the Information Security Officer. A post remediation vulnerability scan will be performed and included as part of the change management documentation.


  • Remediation Priorities


Vulnerabilities identified as critical according to the CVSS score will be tracked and remediated within 90 days.

If a system has a vulnerability that can not be remediated, ITS will perform a risk assessment, and implement appropriate security controls to mitigate identified risks and provide a signed copy to the Chief Information Security Officer.  


  • Remediation Reporting


Quarterly Remediation reporting and documentation will be documented and maintained by the Information Security Officer and made available upon request.


  • Annual External Penetration Test


(PCI-DSS) Annual compliance external penetration test . Vulnerabilities identified as critical according to the CVSS score will be documented and remediated through the change management process.  A compliance report summarizing the vulnerabilities and remediation will be created annually.


  • New Information System Vulnerability Assessment


Information Technology Services will conduct a vulnerability assessment during development of new systems when possible and prior to placing into production.  No new information systems shall be considered in production until a vulnerability assessment has been conducted and vulnerabilities mitigated.

  1. A vulnerability assessment will be conducted prior to placing the system into production.
  2. At the completion of the vulnerability assessment, all discovered vulnerabilities must be addressed with a mitigation plan and documented through Change Management. 

Exceptions:

Exceptions to this standard will be handled on a case by case basis and approval of the Chief Information Officer.

References:

Vulnerability Scanning & Management Procedures

Review:

Next Review Date:  April 2022