IT Vulnerability Management Process Guide
This document provides a quick remediating action plan once corresponding departments received ITPROSEC regular Vulnerabilities Scan Results or Reports.
Table of Contents
4.1 Timeline for Corrective Action. 4
4.2 For Critical Vulnerabilities: (Severity 5=Urgent and Severity 4=Critical) 4
4.3 For the Vulnerabilities: Severity=‘3 Severe’ 5
4.4 For ‘2-Moderate/1-Minimal (Low)’ level vulnerabilities 5
4.5 Summary of Remediation Process: 6
4.6 Legacy / Dependency / Patch not available. 6
Appendix I –Vulnerabilities Remediation checklist 7
Appendix II – Vulnerability Severity Level and Description. 8
The main objective of this guide is to remediate vulnerabilities in a timely fashion. This document provides a quick remediating action plan once corresponding departments received ITPROSEC regular Vulnerabilities Scan Results or Reports.
Cyber Security Team(ITPROSEC) makes sure vulnerabilities and solutions will be sent out to corresponding departments in a timely manner based on pre-defined schedule. The corresponding departments will analyze the vulnerabilities from a technical perspective, make recommendation and take actions based on solution provided by information Security Office. The recommendation includes the feasibility of the possible remediating or acceptation of the risk.
This document will be continuously updated along with Cyber Security Teamand capabilities establishment. For further information or questions, please contact Information Security at [email protected].
The vulnerability scan and remediation process outlined in this document applies to the following ITPROSEC IT assets:
- Laptops / Desktops – Client Services
- Servers – Technology Services
- Network Devices – Technology Services
- Mobile Devices – Client Services
- Storage / SANS – Technology Services
The timely remediation is a recommendation based on ITPROSEC I.T. Vulnerability Management Policy Standards Procedures. If there is any specific issue or question, please notify to Cyber Security Teamat [email protected].
Scanning systems for known vulnerabilities helps to identify where vulnerabilities exist. It also helps to validate that security patches are being applied.
The following are guidelines for performing vulnerability scans.
- The Cyber Security Team will perform periodic scans of systems on ITPROSEC network. In most cases attempts will be made to notify Helpdesk and IT team in advance of the scans, however, there may be some situations where advance notification is not possible. Results of scans will be provided for follow up or remediation.
- The scans will be comprehensive and accurate; will be performed with administrative privileges.
- Before a new server is put into production, it should be scanned for vulnerabilities. Critical, Severe or Medium vulnerabilities should be remediated and the server rescanned to verify the vulnerability has been resolved before it is operational. Exceptions can be made, such as a server needing to be brought online in the event of an emergency, however, a follow up scan should be performed and any problems found should be remediated in a timely manner.
- The vulnerability scan will be performed quarterly to all devices connected to ITPROSEC as below:
- Network devices
- Mobile devices
- Vulnerabilities found should be remediated in a timely manner based on severity.
The severity classifications are based on the Common Vulnerability Scoring System (CVSS) and are defined by the NIST National Vulnerability Database.
Patch management is a key element of vulnerability management. Vendors regularly issue security updates to fix known vulnerabilities. To maintain the security of operating system and application software, security patches must be installed and kept up to date.
Patch management apply to following
|Laptops / Desktops||Helpdesk|
|Network Devices||Network Team|
|Storage / SANs||Network Team|
4.1 Timeline for Corrective Action
The following are guidelines for applying security patches.
|Timeline for Corrective Action|
|Level 4 (Critical) -5 (Urgent) Vulnerability||Level 3 (Severe) Vulnerability||Level 2 (Moderate) Vulnerability||Level 1 (Minimal /Low) Vulnerability|
|2 days (48 hours)||15 Days||30 Days||IT Department Discretion|
4.2 For Critical Vulnerabilities: (Severity 5=Urgent and Severity 4=Critical)
In the Vulnerability scan result / report, the column “Solution” provides how to resolve the issue including the patch name, link or service/account need to be turn off etc.
5 Urgent Tab – list of Urgent or immediate attention requirement
4 Critical Tab – list of Critical or immediate attention requirement
3 Severe Tab – list of Severe or serious type of vulnerabilities which need to remediation
2 Moderate – Medium type of vulnerabilities
1 Minimal – Low level or common type of vulnerabilities
Solution Tab – Provide the solution to resolve the issue (patch or vendor name, version,
Services, link etc.)
4.3 For the Vulnerabilities: Severity=‘3 Severe’
Based on the industry standard, “Severe” type of vulnerabilities must be address or resolved within 30 days.
4.4 For ‘2-Moderate/1-Minimal (Low)’ level vulnerabilities
Cyber Security Teamleaves the IT department to their discretion to apply/not to apply moderate or low level type of vulnerabilities.
4.5 Summary of Remediation Process:
- Identify the patch requirement and research it
- Download the patch that correspondence to vulnerability identified in the system
- Test the patch on separate machine (preferred method)
- Apply the patch to at least one or two affected machine as Pilot test and monitor it.
- If the patch installation is successful and the system is stable, plan for roll out on the affected machine.
- Obtain the approval (Change Process) for roll out
- Write the detail steps to patching process. The system may require more than one patch or requires reboot many times. Therefore, write the steps and sequence
- Make sure, there is roll back process if patches do not go well as plan i.e. removing the patch and back to original state
- Once the patch deployment completed, inform to Cyber Security Teamfor rescan/validation.
- Some system may require port/service/account needs to be disabled. Use appropriate available tools such as Group policy, Remote tools etc.
4.6 Legacy / Dependency / Patch not available
Many cases, there are many legacy system or system or application dependency requires to run current state due to negative impact or vendor no longer release/provide the latest patch, in such case:
– Document the list of system or application that requires the current state.
– Document the list of system that can’t be patched or patch not available.
Provide the details in Appendix 1, document them to accept the risk by the
Department and obtained the approval from Information Security Office.
Appendix I –Vulnerabilities Remediation checklist
|Severities||Description||Remediation Completion Date*||Remediation can’t be done||Alternate Control in place*||Remediation Plan / Accepted Risk*|
Appendix II – Vulnerability Severity Level and Description
|5-Urgent||Intruders can easily gain control of the host, which can lead to the compromise of your entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.|
|4-Critical||Intruders can possibly gain control of the host, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host.|
|3-Severe / Serious||Intruders may be able to gain access to specific information stored on the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.|
|2-Medium / Moderate||Intruders may be able to collect sensitive information from the host, such as the precise version of software installed. With this information, intruders can easily exploit known vulnerabilities specific to software versions.|
|1- Minimal||Intruders can collect information about the host (open ports, services, etc.) and may be able to use this information to find other vulnerabilities.|