Standards & Compliance

Compliance with the vulnerability management standard [1] requires having an automated process/tool in place. A compliant solution must meet the requirements outlined below. Please note: the University provides a compliant solution in the form of Tenable’s Security Center. For details on implementing this solution, please contact infosec@albany.edu.

Definition

Vulnerability management consists of two areas: patching and configuration.

Patching assures that systems are running the most recent, secure versions to guard against exploits targeting a platform or application.
Configuration benchmarking helps guard against attacks that take advantage of insecure or sloppy configuration settings (e.g., failure to disable unused services/ports, deprecated protocols, and sample scripts or change default passwords). This is an attack vector just as serious as an unpatched application or operating system.

Therefore, a vulnerability management solution must include the following capabilities:

Asset Discovery & Application and OS Identification

The ability to discover assets connected to the UAlbany networks including servers, network equipment, security devices and appliances.
The ability to identify applications and operating systems that are present on network attached devices

Vulnerability Management

Identify all system, service, software, and configuration vulnerabilities in assets with services accessible from the University network.

Scheduling of automatic updates of vulnerability policies to occur without user interaction
Scheduling of vulnerability assessments to occur without user interaction
Allow detailed assessments using agents installed on systems. As an alternative to the preferred agent-based scans, credentialed scans can be conducted.

Compliance Checks

The solution should facilitate compliance with the following CIS Critical Controls:

1. Inventory of Authorized and Unauthorized Software (#2)
2. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers (#3)
3. Continuous Vulnerability Assessment and Remediation (#4)
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches (#11)

Allow targeted assessments of assets groups according to:

1. Compliance requirements for the assets: HIPAA, PCI, FERPA, etc.
2. System software: Windows, Mac OS/X, Cisco, Juniper, all major variants of Linux, etc.
3. Network Services: Web, Database, File sharing, RPC, NTP, SSH, Remote Desktop, DNS, LDAP, etc.

Centralized Management

Flexible grouping of assets according to university organizational boundaries or operational responsibilities.
Identification, authentication, and access control mechanisms to allow organizational (or operational) administrators to manage vulnerabilities within their groups of assets

Reporting, Dashboards, & Analytics

Reports: provide a wide variety of detailed and summary reports for vulnerabilities, assets, trends, remediation that can be targeted to the recipients' roles (executive, management, infrastructure admin, service owners, security administrators.
Dashboards: provide user configurable dashboards to provide up-to-date information on vulnerabilities, trends, remediation actions, and analysis.
Provide analysis, prioritization, descriptions, and recommended actions for discovered vulnerabilities to help guide system and service owners in scheduling remediation.
Provide mechanisms for managing/tracking vulnerabilities, including:

1. Notification of admins/owners of vulnerabilities within their asset groups
2. Tracking assignment and resolution of vulnerabilities
3. Tracking the scheduling and completion of vulnerability remediation
4. Mechanisms for accepting or transferring risk of specific vulnerabilities

Alert mechanisms that can inform administrators/owners of discovered important vulnerabilities.

[1] "Standards for Connecting Servers to the Network"