Standards & Compliance
Compliance with the vulnerability management standard [1] requires having an automated process/tool in place. A compliant solution must meet the requirements outlined below. Please note: the University provides a compliant solution in the form of Tenable’s Security Center. For details on implementing this solution, please contact infosec@albany.edu.
Definition
...
Vulnerability management consists of two areas: patching and configuration.
- Patching assures that systems are running the most recent, secure versions to guard against exploits targeting a platform or application.
- Configuration benchmarking helps guard against attacks that take advantage of insecure or sloppy configuration settings (e.g., failure to disable unused services/ports, disabled
- deprecated protocols, and sample scripts or change default passwords). This is an attack vector just as serious as an unpatched application or operating system.
Therefore, a vulnerability management solution must include the following capabilities:
Asset Discovery & Application and OS Identification
- The ability to discover assets connected to the UAlbany networks including servers, network equipment, security devices and appliances.
- The ability to identify applications and operating systems that are present on network attached devices
Vulnerability Management
- Identify all system, service, software, and configuration vulnerabilities in assets with services accessible from the University network.
- Scheduling of automatic updates of vulnerability policies to occur without user interaction
- Scheduling of vulnerability assessments to occur without user interaction
- Allow detailed assessments using agents installed on systems. As an alternative to the preferred agent-based scans, credentialed scans can be conducted.
- Allow administrators to tailor assessments as internal, external, credentialed, or agent based on the asset group
Compliance Checks
- The solution should facilitate compliance with the following CIS Critical Controls:
- Inventory of Authorized and Unauthorized Software (#2)
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers (#3)
- Continuous Vulnerability Assessment and Remediation (#4)
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches (#11)
- Allow targeted assessments of assets groups according to:
- Compliance requirements for the assets: HIPAA, PCI, FERPA, etc.
- System software: Windows, Mac OS/X, Cisco, Juniper, all major variants of Linux, etc.
- Network Services: Web, Database, File sharing, RPC, NTP, SSH, Remote Desktop, DNS, LDAP, etc.
Centralized Management
- Flexible grouping of assets according to university organizational boundaries or operational responsibilities.
- Identification, authentication, and access control mechanisms to allow organizational (or operational) administrators to manage vulnerabilities within their groups of assets
Reporting, Dashboards, & Analytics
- Reports: provide a wide variety of detailed and summary reports for vulnerabilities, assets, trends, remediation that can be targeted to the recipients' roles (executive, management, infrastructure admin, service owners, security administrators.
- Dashboards: provide user configurable dashboards to provide up-to-date information on vulnerabilities, trends, remediation actions, and analysis.
- Provide analysis, prioritization, descriptions, and recommended actions for discovered vulnerabilities to help guide system and service owners in scheduling remediation.
- Provide mechanisms for managing/tracking vulnerabilities, including:
- Notification of admins/owners of vulnerabilities within their asset groups
- Tracking assignment and resolution of vulnerabilities
- Tracking the scheduling and completion of vulnerability remediation
- Mechanisms for accepting or transferring risk of specific vulnerabilities
- Alert mechanisms that can inform administrators/owners of discovered important vulnerabilities.
[1] "Standards for Connecting Servers to the Network"
Anchor | ||||
---|---|---|---|---|
|