SlideShare a Scribd company logo

081014 Vulnerability Management - VM Framework Procedural Guidelines 1.0

Download as DOC, PDF
G
Gregg Jackson

This document provides guidelines for Sony Pictures Entertainment's vulnerability management framework. It outlines the roles, processes, systems and policies involved in identifying, assessing, remediating and validating the remediation of vulnerabilities on Sony's network. The framework utilizes Preventsys to schedule vulnerability scans by QualysGuard and track remediation tasks. It also describes how McAfee products are used and configured through policies and exceptions to help reduce vulnerabilities.

1 of 39
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . Created By: Gregg Jackson For: Sony Pictures Entertainment The information in this document is proprietary, contains trade secrets, commercial, and financial information that is privileged and confidential. No part of this document can be disclosed outside of 120° Venture Construction Inc. or Customer without the direct consent of one of its officers. This document and the information in it cannot be duplicated, used, or disclosed in whole or in part for any purpose other than its original intent. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 1 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved. V U L N E R A B I L I T Y M A N A G E M E N T F R A M E W O R K P R O C E D U R A L G U I D E L I N E S
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . Table of Contents 1. INTRODUCTION......................................................................................................................................3 2. VULNERABILITY MANAGEMENT SYSTEM ARCHITECTURE...................................................7 3. VULNERABILITY MANAGEMENT FRAMEWORK ROLES...........................................................9 4. MANAGE POLICIES..............................................................................................................................14 5. ADD ASSET OR NETWORK SEGMENT...........................................................................................16 6. CHANGE OR EDIT ASSET...................................................................................................................18 7. REMOVE ASSET FROM NETWORK..................................................................................................20 8. MANAGE SCANNERS...........................................................................................................................22 9. MANAGE ASSESSMENTS....................................................................................................................24 10. ANALYZE RESULTS, REMEDIATION AND COMPLIANCE VALIDATION.........................27 11. MCAFEE TEST PROCESS....................................................................................................................30 12. MCAFEE DEPLOYMENT PROCESS.................................................................................................32 13. MCAFEE POLICY CHANGES.............................................................................................................34 14. MCAFEE PROACTIVE AND REACTIVE RESOLUTION PROCESS..........................................37 15. APPENDICES ........................................................................................................................................39 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 2 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 1. INTRODUCTION Vulnerability is defined as a weakness in a network infrastructure that has been exploited by a threat that may potentially destroy, damage, or compromise a network asset. Vulnerability Management is defined as, the overall supervision of vulnerabilities within an organization and how management of those vulnerabilities will be achieved through distribution of duties and configuration of systems to measure compliance against organizational policies. The Vulnerability Management Framework Procedural Guidelines document is established to meet the requirements of the Sony Global Information Security Policy section 10.6, “Technical Vulnerability Management”. The purpose of the Vulnerability Management Framework Procedural Guidelines document is to provide general information about the systems, activities, roles and business rules that support the vulnerability management objective at Sony Pictures Entertainment. 1.1. OVERVIEW The foundation of the Sony Pictures Entertainment (SPE) vulnerability management framework begins with a team of representatives from various Information Technology departments who are tasked to preserve the policies, processes and business rules, and when effectively managed will serve to continuously support the comprehensive systems specifically implemented to reduce the risks associated with vulnerabilities. The Vulnerability Management Framework Procedural Guidelines document exists to support the proposed Vulnerability Management Lifecycle, illustrated below: 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 3 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 1.2. REVISION HISTORY Version Date Author Details of Change 1.0 10/14/2008 G. Jackson Completed First Draft 1.3. GLOSSARY OF TERMS Vocabulary Definition Accepted Risk Vulnerabilities that will not be remediated for a specific reason. No corrective action is needed for the identified risk. Alternative Policy A set of policy rules for any McAfee products that are considered too significant to be configured as an exception, and are instead setup as an alternative policy. Alternative policies are applied to a defined group of end nodes. Assessment (scan) A methodical evaluation of an organization’s IT weaknesses of infrastructure components and assets and how those weaknesses can be mitigated through proper security controls and recommendations to remediate exposure to risks, threats, and vulnerabilities. Asset An asset is defined as any device that can be connected to network that will result in a connection with an IP address, thus exposing the asset and network to vulnerabilities. Assets make up a Network or Asset Group. Network and Asset Groups are one in the same. Baseline Policy A set of policy rules for any McAfee product deemed to be the set of rules that should be applied to all end nodes. Baseline Report A report providing the baseline knowledge necessary to execute specific vulnerability management activities. Baseline reports may also be used to identify common trends or expose gaps and can be used as a tool to proactively refine the vulnerability management process on an on going basis. Claimed/ Resolved Vulnerabilities that the Remediation Analyst classifies as fixed. Compensating Control An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions. Compliance Validation The method in which the Information Security works in collaboration with Internal Audit, VMTF and any other required vulnerability management representatives to review the remediation task disposition and ensure compliance in accordance with GISP Activity Matrix requirements to remediate level 3, 4 and 5 vulnerabilities for external servers and level 4 and 5 vulnerabilities for internal servers. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 4 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . Vocabulary Definition ePO ePolicy Orchestrator is McAfee’s centralized administration console. Exception Rule Any configured alternative path to a specific rule(s) within a Baseline Policy. False Negative A false negative occurs when a vulnerability exists, but the detection system failed to identify it. False Positive A false positive is a vulnerability that has been reported, but does not exist, because the detection mechanism was in error. HIPS Host Intrusion Prevention System is McAfee’s single console patch management system. McAfee VirusScan 8.5i Is a network internet security product developed by McAfee that provides antivirus protection, secure firewall, and spyware removal. Network Group A customized grouping of IP addresses or assets that together make up a network group. Network Groups are created and categorized to establish user visibility and help ease control and management of all assets from a global perspective. Each region consists of its own network group. Network Group is also commonly called a Network Segment. Penetration test Is a test conducted to identify potential loopholes that may expose a network weakness and when reported and acted on, it will allow application owners to fix the breach before it is can be taken advantage of by an external intruders. Policy Is an organizational rule that when effectively implemented will determine how well physical assets are protected. Preventsys The primary system for scheduling vulnerability scans. In the SPE environment, Preventsys is configured to schedule and trigger the QualysGuard vulnerability scanning (assessments). Preventsys Discovery Scan Scans for the most common TCP and UDP ports thus identifying all of the assets connected to the network at any given time. Preventsys Full Scan A full vulnerability scan targeting TCP and UDP ports. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 5 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . Vocabulary Definition Preventsys Validation Scan Scans for all tasks that have been set to Claimed /Resolved, Accepted Risk or False Positive. Once the Validation Scan runs, all remediated tasks will be set to be verified. Quality Center TBD QualysGuard The primary system that scans and detects vulnerabilities and policy violations. . In the SPE environment, QualysGuard is configured to search for vulnerabilities on the SPE network and then report the results back to Preventsys for further analysis and initiate remediation activities. Remediation The action taken to reduce; quarantine and remove vulnerabilities from the network. Remedy System Customizable ticket tracking database application. Standard A standard is defined as the actions an organization takes to meet the requirements of a policy. TCP Transmission Control Protocol. A standard essential network communication mechanism. (Refer to Appendix 9.2 ‘TCP and UDP Ports’ for additional information) UDP User Datagram Protocol. A standard essential network communication mechanism. (Refer to Appendix 9.2 ‘TCP and UDP Ports’ for additional information) Vulnerability A weakness in the network infrastructure that may be exploited by a threat that may potentially destroy, damage, or compromise an IT asset. Vulnerabilities are categorized by severity level, with severity level 5 being most critical. Severity level 5 vulnerabilities take precedence during any prioritization assessment of vulnerabilities. The current Vulnerability Management Framework Lifecycle protocol primarily addresses severity level 3, 4 and 5 vulnerabilities and will be adamantly handled accordingly based on diligent risk analysis measures. Vulnerability Management The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through distribution of duties. From a system perspective, currently SPE uses ePO, VirusScan and HIPS to protect workstation and server assets. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 6 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 2. VULNERABILITY MANAGEMENT SYSTEM ARCHITECTURE 2.1. OVERVIEW To gain a comprehensive understanding of Vulnerability Management, it is initially important to understand the system architecture. The vulnerability management systems are the focal point of vulnerability management and will serve as the primary catalysts to all vulnerability management processes, activities and business rules. Vulnerability Management begins with the Preventsys system which manages scheduling of vulnerability assessments, commonly referred to as vulnerability scans. When Preventsys triggers a scheduled vulnerability scan it sends a command to the QualysGuard system to begin scanning for vulnerabilities. The QualysGuard system completes the scan cycle on a particular network group and then communicates the data results back to Preventsys, thus initiating an analysis of results including prioritization of vulnerabilities based on criticality severity. Subsequently, vulnerabilities are assigned to a Remediation Analyst to begin the remediation and compliance validation processes. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 7 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 2.2. MCAFEE PREVENTSYS Preventsys is a comprehensive vulnerability management software application that centrally manages vulnerabilities. Preventsys initiates the vulnerability management process by launching scheduled vulnerability scans, also called assessments and accomplishes the following: • Manages assessment scheduling (manual and automated) • Manages security risks across the network, both internal and external • Quickly identifies assets at risk • Produces prioritized remediation tasks based on pre-defined criticality measurements associated to business defined policies • Automatic notification of risk status to management 2.3. QUALYSGUARD QualysGuard Guard is a comprehensive software application that achieves both vulnerability management and policy compliance initiatives. The QualysGuard service accurately detects vulnerabilities and then reports the results back to the Preventsys system as illustrated in the system architectural diagram. QualysGuard service accomplishes the following: • Application specific vulnerability checks • Integrates additional technical compliance components to support process re-engineering and accommodate shifting business objectives • Repeatable risk assessment on the fly 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 8 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3. VULNERABILITY MANAGEMENT FRAMEWORK ROLES The roles of the vulnerability management team are without a doubt the most important components of the vulnerability management framework. The vulnerability management framework team supports all vulnerability management objectives. Working collaboratively, the following individuals connect the systems, administer the applications and perform the activities of the vulnerability management lifecycle: 3.1. ASSET ADMINISTRATOR • Responsible for maintaining the valid list of IP ranges (Network Group) for all assessment tools. • Works with the regional teams and Site Administrators to maintain the asset inventory in each region. • Responsible for reconciling differences between inventory and discovery scans. • Works with Control Owners and VMTF to define and maintain platform support policy and standards for each domain. • Works with Control Owners and VMTF to define and maintain the standard build and configuration documentation for each domain. 3.2. ASSET OWNER • Responsible for communicating changes of an asset to all applicable vulnerability management personnel, i.e. Change Control, Tool Administrator, VMTF, etc. • Identifies any asset changes and communicates to the Tool Administrator so that the appropriate system updates can be applied accordingly. 3.3. CHANGE CONTROL • Communicates system changes initiated by vulnerability management activities that may impact or disrupt any production processing environment. • Develops and enforces IT Change Control practices, procedures and policies in accordance with GISS/GISP measures. • Communicate vulnerability management system change schedules and corresponding information to impacted customer communities. • Works with Line of Business and application teams to define windows for assessment scans. • Collaborates with Tool Administrators to ensure implementation of assessment scheduling. • Works with Control Owners to ensure coordination of all remediation activities that require an outage outside the standard maintenance schedule. • Works with Asset Administrators to ensure all environment changes are administered to each of the affected asset repositories. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 9 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3.4. CONTROL OWNER • Will assess results of vulnerability scans to determine remediation activity schedule with Remediation Analyst. • Determines schedule required to remediate level 3, 4 and 5 vulnerabilities. • Provide feedback on any results that warrant additional information prior to executive reporting. • Maintains ownership of specific asset group a.k.a. network groups. • Accountable for remediation of all vulnerabilities within their asset group. • Works with Remediation Analyst in the prioritization of vulnerabilities and assignment of remediation activities. • Responsible for the identification and implementation of compensating controls. 3.5. ENTERPRISE QUALITY ASSURANCE (EQA) • Responsible for ensuring all vulnerability management assessments are performed on applications are part of the SDLC. • Works with application teams to remediate all identified vulnerabilities. • Responsible for QA of all on-going changes to the vulnerability management lifecycle. 3.6. EPO GLOBAL ADMINISTRATOR • Maintains the ePO Server. • Manages ePO policies for all workstation McAfee products. • Manages ePO user access and privileges to ePO for workstation users. • Monitors ePO reports on an ongoing basis. • Identifies issues and trends and resolves issues where appropriate. • Ensures that all assets are on the required version of a McAfee product. • Identifies policy adjustments when necessary. • Coordinates the development of all policy rules with the Site Administrators. • Coordinates with Site Administrators, EQA and Change Control to develop and maintain the global testing and deployment schedule for all McAfee products. • Communicates all baseline policy information and policy changes via the Change Control process. • Ensures that all Quality Center reported issues are tracked and resolved. • Manages all server upgrades and back-end database administration. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 10 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3.7. GLOBAL SUPPORT DESK (GSD) • TBD 3.8. INTERNAL AUDIT • Periodically reviews the VM lifecycle for compliance with the GISS/GISP measure. • Recommends lifecycle updates to the appropriate Vulnerability Management contact points to facilitate refinement of process re-engineering based on on-going analysis and best practices. 3.9. INFORMATION SECURITY • Responsible for the maintenance of the policy repository. • Responsible for importing and exporting of custom policies in compliance with the GISS/GISP measure. • Ensure accurate GISP/GISS mapping of policies between systems. • Collaborates with the Remediation Analyst to determine methods for reducing the number of false positives. • Ensure the compliance of VM Lifecycle with the GISS/GISP measures. • Facilitates VM lifecycle process review sessions with Internal Audit and Change Control and ensures suggested updates are incorporated into the process. • Develops trend analysis security metric reports to provide visibility and decision support to senior management regarding the state of vulnerabilities and policy violations across SPE's IT landscape. 3.10. NETWORK TEAM • Business Unit specific. Requires definition from the Network Team and executive approval. 3.11. REMEDIATION ANALYST • Ensure assets are compliant. • Remediates vulnerabilities. • Coordinates with McAfee when issues arise. • Works with Control Owner to document remediation plan to be reviewed with Change Control and Enterprise Quality Assurance (EQA) to help determine remediation activities, scheduling, and testing activities. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 11 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3.12. REPORTING ANALYST • Identifies and defines reporting needs as requested or needed by the business. • Runs Preventsys Reports. • Schedules reports. • Works with stakeholders and Control Owners to manage their reporting needs. 3.13. SITE ADMINISTRATOR • Tests McAfee products within their respective workstation environment including scheduling deployment to test servers, addressing issues reported by testers and users, and reviewing ePO logs for issues. • Reports all issues identified in test via Quality Center. • Ensures that all testing is completed within the agreed upon schedule. • Contributes to the development of the global baseline policy. • Identifies policy expectations specific to region. • Schedules all test, pilot and production deployments via ePO. • Produces and analyzes ePO reports. • Identifies any issues or trends specific to region and remediates systems that are not compliant. • Continued on next page • Reports all issues identified in production to the ePO Global Administrator and the SPE Global Support Desk. • Reviews all ePO communicated events and addresses as appropriate. 3.14. TOOL ADMINISTRATOR • Applies patches and version updates to tools accordingly and in a timely manner. • Performs adhoc vulnerability assessments when requested. • Schedules all vulnerability assessments according to defined business needs. • Manages and maintains Scanner tools • Coordinates activities within scope of responsibilities and communicates to the appropriate vulnerability management team personnel and / or vendors to resolve issues. 3.15. VULNERABILITY MANAGEMENT LIFECYCLE MANAGER • Coordinates with Vulnerability Management Task Force (VMTF) to obtain approval of proposed compensating controls and accepted risks. • Responsible to ensure the implementation of all recommendations of the VMTF. • Responsible to ensure the integrity of the Vulnerability Management Lifecycle. • Works with the VMTF to determine the vulnerability coverage in each execution. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 12 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3.16. VULNERABILITY MANAGEMENT TASK FORCE (VMTF) • Working council of stakeholders from each domain and is responsible for maintaining the Vulnerability Management Lifecycle. • Responsible for defining the duration of the VM Lifecycle. • Responsible for approving all policy changes to supporting vulnerability management systems. • Responsible for approving all platform supporting policies for compliance with vulnerability management. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 13 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 4. MANAGE POLICIES 4.1. OVERVIEW The Sony Pictures Entertainment vulnerability management team will address two kinds of policies, policies used to determine the coverage provided by a vulnerability scan, and policies used to determine the vulnerabilities based on the results and analysis of a vulnerability scan. The process of managing policies is intended to describe how Sony Pictures Entertainment (SPE) IT and Information Security work together to analyze newly created policies and establish the technical standards for supporting the new policies. The proposed process for managing policies is illustrated in section 4.4 4.2. SYSTEMS • Preventsys Preventsys maps vulnerability data to specific Global Information Security Policies (GISP). This information is used to report on corporate compliance with the GISP. 4.3. ROLES • Tool Administrator – Responsible for updating and maintaining policies within vulnerability management systems. • Information Security • Change Control – Adheres to current Change Control procedures. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 14 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 4.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 4.5. BUSINESS RULES DESCRIPTION 1 All SPE GISP policies defined will be reviewed by Information Security first. 2 IT Architecture and Governance will identify the IT staff responsible for establishing the technical standard by which the policy will be implemented. 3 Information Security will validate that all IT technical standards support the policy. 4 VMTF will review and approve proposed policies and determine the technical standards needed. NOTE: Any technical standard that impact the system to a high degree will be assessed thoroughly and if required will be channeled through Change Control. 5 VMTF will determine the timeframe by which a policy must be implemented. 6 The IT staff are responsible for implementing all approved technical standards 7 All approved policies will be posted on the intranet site. 8 IT and Information Security must agree to the schedule for implementing a newly defined policy and the technical standards that will support the policy. 9 Information Security will obtain corporate approval of the schedule to implant all technical standards. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 15 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 5. ADD ASSET OR NETWORK SEGMENT 5.1. OVERVIEW Assets are categorized as physical assets and logical assets. Some examples of physical assets include routers, firewalls, servers, workstations and laptops. Logical assets include websites, applications and databases. An asset is one where as a network segment is a grouping of assets. An example of a network segment is if SPE conducts testing on a potential new application in a testing lab and it requires eight testing workstations. The vulnerability management objective is concerned with all assets that connect to the SPE network internal or external and it is important that all new assets and network segments are properly added to the Preventsys system so that SPE and the vulnerability management team can successfully track, monitor and maintain assets. To manage new assets or network groups connected to the SPE network, the Remedy system will be the proposed system of choice to facilitate tracking and history. The proposed process for adding an asset or network group is illustrated in section 5.4 5.2. SYSTEMS • Remedy • Preventsys 5.3. ROLES • Asset Owner - Responsible for opening a Remedy ticket when a new asset or network segment needs to be connected to the network. • Tool Administrator - Responsible for adding the asset or network segment to the Preventsys system and maintaining the policies of the asset per asset category requirements. The Tool Administrator is also responsible for immediately scanning the new asset or network segment for vulnerabilities. • Change Control – Adheres to current Change Control procedures. • VMTF • Network Team – Adheres to current business practices. • Remediation Analyst – Responsible for remediating any vulnerabilities identified. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 16 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 5.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 5.5. BUSINESS RULES STEP DESCRIPTION 1 All requests for IP addresses will be initiated via the Remedy system 2 All requests for network segments will be initiated via the Remedy system. 3 All newly assigned IPs and network segments will be communicated to the requestor, Tool Administrator, Change Control and Asset Owner (if not the requestor). 4 All new network segments and assets will be immediately scanned. 5 Asset support policies will be maintained for each category of assets on a day to day basis. 6 Rogue assets that are discovered on the network need to be registered and properly channeled through the Remedy system. 7 Each business unit must identify information assets in its possession and draw up and maintain an inventory of all important assets. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 17 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 6. CHANGE OR EDIT ASSET 6.1. OVERVIEW Considering the evolving business needs existing in the Sony Pictures Entertainment environment, assets change frequently and it is important that the applicable roles of the vulnerability management team pay meticulous attention this occurrence and administer a plan to properly track, test, and control changing assets. The proposed process is illustrated in section 6.4 High-Level Process Flow Diagram. 6.2. ROLES • Asset Owner - Responsible for opening a Remedy ticket when an asset or network segment needs to be technically changed or changes classification (category) • Tool Administrator - Responsible for updating the policies associated with the asset or network segment, if applicable. Also responsible for immediately scanning the asset or network segment for vulnerabilities. • Change Control – Adheres to current Change Control procedures. • VMTF • Network Team – Adheres to current business practices. • Remediation Analyst – Responsible for remediating any vulnerabilities identified. 6.3. SYSTEMS • Preventsys • Remedy 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 18 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 6.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 6.5. BUSINESS RULES DESCRIPTION 1 Preventsys will be configured to automatically notify the Tool Administrator when vulnerabilities are present. 2 The Asset Owner will open a Remedy ticket any time their asset changes. 3 The Remediation Analyst will remediate any vulnerabilities identified. 4 The Tool Administrator will apply the necessary policy updates to Preventsys based on the asset category. 5 The Network Team, Change Control and VMTF will be notified of any asset change based on proper assessment and impact to the network. 6 < insert additional Business Rule identified > 7 < insert additional Business Rule identified > 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 19 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 7. REMOVE ASSET FROM NETWORK 7.1. OVERVIEW The Preventsys system stores the assets that are part of a specific network group so that they can be routinely scanned for vulnerabilities. If an asset is no longer connected to the network, it will be time consuming and difficult to track the asset. An asset may be removed from the network to undergo a hardware upgrade or permanently removed from the network; regardless of the scenario it is essential that communication and proper procedures are followed to help manage this process. Illustrated in section 7.4 is the proposed process for removing an asset from the network. 7.2. ROLES • Change Control – Adheres to the current Change Control procedures. • Tool Administrator – Responsible for removing the asset from the network group within Preventsys and then performing a discovery scan to make sure that the removed asset does not appear when results are returned. • Asset Owner – Responsible for opening a Remedy ticket to properly communicate the business need for removing the asset and to ensure that the asset is tracked and reported for historical purposes and audit. 7.3. SYSTEMS • Remedy • Preventsys 7.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 20 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 7.5. BUSINESS RULES DESCRIPTION 1 The Tool Administrator will remove the asset from Preventsys immediately upon notification. 2 The Asset Owner will be responsible for opening a Remedy ticket when removing an asset. 3 A report will be produced that captures the asset history for audit trail purposes. 4 < insert additional Business Rule identified > 5 < insert additional Business Rule identified > 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 21 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 8. MANAGE SCANNERS 8.1. OVERVIEW Sony Pictures Entertainment currently uses the QualysGuard system to perform vulnerability assessments. As previously documented, the Preventsys system triggers the QualysGuard system to perform the vulnerability assessment. QualysGuard is customized with specific policies to identify vulnerabilities and check for common threats that exists in today’s networking world. Albeit, every organization configures their systems differently based on the nature of the business, but most organizations practice many of the same methods to help manage and maintain their vulnerability management systems. Outlined below in sections 8.2 Role and 8.3 System Management is a detailed listing of the proposed responsibilities, activities and scheduling to facilitate scanner management. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 22 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 8.2. ROLE • Tool Administrator o Responsible for customizing each tool with SPE policies and standards in accordance with GISP o Responsible for maintaining each tool on a continuous basis to ensure protection of the SPE network infrastructure. o Serve as the primary point of contact for all scanner device issues and will communicate with the vulnerability management team on an as needed basis. o Required to contact the respective tool vendor to resolve any issues that cannot be resolved internally contingent upon initial thorough analysis. o Ensures that the device is on and properly functioning and meeting performance expectations 24 hours a day 7 days a week. o Manages licensing of each tool to ensure that the device is up to date. o Communicates all maintenance related tasks to Change Control such as applying security patches or version updates, configuration changes and enhancement requirements per policy and standard update priority. 8.3. SYSTEM MANAGEMENT DEVICE ACTIVITY SCHEDULE COMMENTS QualysGuard < insert associated business activity > <system defined format> Preventsys < insert associated business activity > <system defined format> 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 23 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 9. MANAGE ASSESSMENTS 9.1. OVERVIEW Vulnerability Assessments analyze the security of the SPE network and are configured within the Preventsys system. When Preventsys launches or schedules vulnerability assessments, the QualysGuard service safely and accurately detects vulnerabilities using its inference-based scanning engine, an adaptive process that intelligently runs only tests applicable to each host scanned. The QualysGuard service first gathers information about each host, such as its operating system and version, ports and services, and then selects the appropriate test modules. This information is then reported back to Preventsys for analysis, remediation management and reporting. The following is a list of scans that will be routinely performed based on the agreed schedule: • Discovery – Scans TCP and UDP ports. This scan does not analyze for full vulnerabilities but only reports what is commonly known as informational vulnerabilities that give indication of the type of server the scanned system may be. This scan is useful in determining the Operating Systems running on a server, thus would be beneficial when administering policies. • Lite – Scan is configured per business need requirements. • Preventsys Full Scan – Scan is configured per business need requirements. • Database – Scans for vulnerabilities at the database port level. • Preventsys Validation Scan - Scans for all tasks that have been set to Claimed /Resolved, Accepted Risk or False Positive. Once the Validation Scan runs, all remediated tasks will be set to be Claimed/Resolved. The diagram illustrated in section 9.4 below is a high-level proposed process flow of the steps required to effectively manage vulnerability assessments. 9.2. SYSTEMS • Preventsys 9.3. ROLES • Tool Administrator 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 24 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 9.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 9.5. BUSINESS RULES DESCRIPTION 1 When scheduling a vulnerability assessment, the format of the date and time must be yyyy-mm- ddTHH:mm:ss (for example, 2004-07-27T22:36:20) and is always in GMT. 2 The business unit control owners will determine when to run a vulnerability assessment 3 The Tool Administrator will ensure that the QualysGuard results accurately populate to Preventsys. 4 Only servers that are categorized into a network group will be targeted for vulnerability assessments. 5 Servers IP addresses will be set up into a Network Group based on the combination of physical asset and operating system. 6 If a server has multiple IP addresses, the Asset Owner must identify the single instance of IP address and Operating System that should be assigned to a network group and targeted for vulnerability assessments. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 25 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 9.6. ASSESSMENT SCHEDULE ASSESSMENT NAME TYPE NETWORK GROUP SCHEDULE COMMENTS 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 26 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 10. ANALYZE RESULTS, REMEDIATION AND COMPLIANCE VALIDATION 10.1. OVERVIEW The ability to analyze and prioritize vulnerabilities based on criticality level and at the same time evaluate the impact to the business can be difficult. Although a vulnerability’s criticality level may be justifiably accurate when it is reported back into the Preventsys system, there will be many instances where it will be difficult to assess and classify the vulnerability. Those instances will require meticulous assessment and possibly a review session involving several vulnerability management team members. The proposed activities to help manage this process are illustrated in section 10.4 High-Level Process Flow Diagram. 10.2. ROLES • Control Owner • Remediation Analyst • Reporting Analyst • Information Security 10.3. SYSTEMS • Preventsys 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 27 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 10.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 10.5. BUSINESS RULES DESCRIPTION 1 A global vulnerability scan will be run every month, and vulnerabilities must be remediated and in compliance on a quarterly basis. (The business shall establish a quota guideline in relation to the number or percentage of vulnerabilities that must be in compliance within the 90 day period) 2 The vulnerability scan cycle is as follows: Day 0: Baseline results that must be remediated on Day 90 Day 30: Opportunity 1 to verify remediated vulnerabilities Day 60: Opportunity 2 to verify remediated vulnerabilities 3 Remediation tasks will be assigned by a member of the server team responsible for the server, or automatically (per business rules provided by the applicable server team) 4 Compliance of vulnerabilities will be achieved within 90 days of the Day 0 scan. (The business shall establish a quota guideline in relation to the number or percentage of vulnerabilities that must be in compliance within the 90 day period). 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 28 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . DESCRIPTION 5 An executive report will be produced for the Day 0 vulnerability scan and the Day 90 vulnerability scan. 6 Vulnerabilities identified as Accepted Risk or False Positives must be accompanied with an explanation regarding the status and clearly defined in the Preventsys system. 7 During Compliance Validation, the (TBD) will review and approve Accepted Risks or False Positives. 8 When Preventsys remediation tickets are automatically generated after each assessment, they must be assigned to a Remediation Analyst within (X) amount of time. 9 Remediation activities will require adherence to the change control process. 10 Remediation reporting and trending analysis should be regularly checked by business unit control owners. 11 Reports should be saved in .PDF format prior to publishing. 12 Information Security must review scan data for accuracy and validate that the data meets compliance audit standards. 13 Business unit owners must review scan data for accuracy. 14 All vulnerabilities and violations with a criticality level of 70 or higher will be assigned immediately to a Remediation Analyst. 15 All vulnerabilities and violations with a criticality level of 69 or lower will be assigned, but will be lower priority to 70 or higher vulnerabilities. 16 No vulnerability will be unassigned. 17 The Control Owner will assess the results of each vulnerability test, and will provide feedback on any results that warrant additional information prior to executive reporting. 18 Remediation plans will be reviewed with Change Control to schedule remediation activities when necessary. 19 Validation scans will be run every 3 weeks. 20 After each Validation Scan is performed, all assigned tasks that are not already set to Claimed/Resolved, Accepted Risk or False Positive should be set to Claimed/Resolved. 21 Remediation Task due dates will be scheduled by the Control Owner. 22 Remediation Tasks will be closed by the person assigned to the task. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 29 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 11. MCAFEE TEST PROCESS 11.1. OVERVIEW As is the case for any software application, McAfee products are frequently updated and require the appropriate personnel to administer the updated patches and install new versions. In section 11.3 below, a proposed process is illustrated to ensure that the appropriate personnel are accountable for the activities involving testing of new patches or versions of McAfee products and subsequently, the appropriate communication protocols are followed so that all impacted vulnerability management team members are well informed. 11.2. ROLES • Tool Administrator • Information Security • ePO Global Administrator • Site Administrator 11.3. HIGH-LEVEL PROCESS DIAGRAM 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 30 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 11.4. BUSINESS RULES DESCRIPTION 1 The Tool Administrator will update the appropriate McAfee product on as needed basis. 2 Prior to releasing any updates to a McAfee product the ePO Global Administrator will communicate to all impacted vulnerability management team personnel. 3 Prior to releasing any updates to production, any McAfee update version or patch will be thoroughly tested. 4 The ePO Global Administrator will notify Change Control and Site Administrators immediately after the change is implemented. 5 < insert additional Business Rule identified > 6 < insert additional Business Rule identified > 7 < insert additional Business Rule identified > 8 < insert additional Business Rule identified > 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 31 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 12. MCAFEE DEPLOYMENT PROCESS 12.1. OVERVIEW Subsequent to testing of a McAfee product, the appropriate vulnerability management team members will engage in a deployment process to ensure the implementation is performed efficiently and has minimal disruption to the normal courser of vulnerability management activities. Section 12.3 illustrates the proposed process for managing deployments of McAfee products. 12.2. ROLES • Site Administrator • ePO Global Administrator • Change Control 12.3. HIGH-LEVEL PROCESS DIAGRAM 12.4. BUSINESS RULES DESCRIPTION 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 32 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 1 2 3 4 5 6 7 8 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 33 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 13. MCAFEE POLICY CHANGES 13.1. OVERVIEW 13.2. ROLES • Site Administrator • ePO Global Administrator • Change Control 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 34 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 13.3. HIGH-LEVEL PROCESS DIAGRAM 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 35 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 13.4. BUSINESS RULES DESCRIPTION 1 Policy changes are made by the ePO Global Administrator only. 2 A baseline policy shall be implemented by all regions. 3 Any exception to the baseline policy shall be configured as an exception rule in ePO rather than an alternative policy (Unless it is determined that an alternative policy is necessary). 4 Site Administrators are responsible for the management of an alternative policy, if it is determined that it does not apply globally, otherwise the ePO Global Administrator will be responsible. 5 Site Administrators will complete testing within the agreed upon timeframe 6 7 8 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 36 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 14. MCAFEE PROACTIVE AND REACTIVE RESOLUTION PROCESS 14.1. OVERVIEW Management of any organization would mutually agree that a proactive approach spending some time routinely assessing procedures in any new process and discussing ideas for process improvement would help to avoid unforeseeable issues and be beneficially cost effective. 14.2. ROLES • Site Administrator • ePO Global Administrator • Global Support Desk (GSD) 14.3. HIGH-LEVEL PROCESS DIAGRAM 14.4. BUSINESS RULES DESCRIPTION 1 2 3 4 5 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 37 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 38 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 15. APPENDICES 15.1. VULNERABILITY MANAGEMENT FRAMEWORK TEAM Region Contact Department Role Phone E-Mail Asia Pacific TBD North America TBD Latin America TBD UK TBD 15.2. TCP AND UDP PORTS 15.2.1. TCP Ports TCP stands for Transmission Control Protocol. Using this method, the computer sending the data connects directly to the computer it is sending the data it to, and stay connected for the duration of the transfer. With this method, the two computers can guarantee that the data has arrived safely and correctly, and then they disconnect the connection. This method of transferring data tends to be quicker and more reliable, but puts a higher load on the computer as it has to monitor the connection and the data going across it. A real life comparison to this method would be to pick up the phone and call a friend. You have a conversation and when it is over, you both hang up, releasing the connection. 15.2.2. UDP Ports UDP stands for User Datagram Protocol. Using this method, the computer sending the data packages the information into a nice little package and releases it into the network with the hopes that it will get to the right place. What this means is that UDP does not connect directly to the receiving computer like TCP does, but rather sends the data out and relies on the devices in between the sending computer and the receiving computer to get the data where it is supposed to go properly. This method of transmission does not provide any guarantee that the data you send will ever reach its destination. On the other hand, this method of transmission has a very low overhead and is therefore very popular to use for services that are not that important to work on the first try. A comparison you can use for this method is the plain old US Postal Service. You place your mail in the mailbox and hope the Postal Service will get it to the proper location. Most of the time they do, but sometimes it gets lost along the way. UDP Ports are used for connections that don’t necessarily need to response from the client, such as streaming video. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 39 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.

More Related Content

PDF
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Enterprise Management Associates
 
PPTX
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
PPTX
FEI Brisbane Lunch: Cybersecurity and the CFO
Kate Mills
 
PDF
Multisim User Manual
guestfc76b6
 
PPTX
Cybersecurity Compliance in Government Contracts
Robert E Jones
 
PDF
Managing Compliance
SecPod Technologies
 
PPTX
APAC Partner Update: SolarWinds Security
SolarWinds
 
PPTX
Best Practices for Intelligent Compliance
BMC Software
 
Achieving Hi-Fidelity Security by Combining Packet and Endpoint Data
Enterprise Management Associates
 
A Framework for Developing and Operationalizing Security Use Cases
Ryan Faircloth
 
FEI Brisbane Lunch: Cybersecurity and the CFO
Kate Mills
 
Multisim User Manual
guestfc76b6
 
Cybersecurity Compliance in Government Contracts
Robert E Jones
 
Managing Compliance
SecPod Technologies
 
APAC Partner Update: SolarWinds Security
SolarWinds
 
Best Practices for Intelligent Compliance
BMC Software
 

What's hot (19)

PPTX
Stay out of headlines for non compliance or data breach
Sridhar Karnam
 
PDF
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Falgun Rathod
 
PDF
Software fmea for medical devices
OnlineCompliance Panel
 
PDF
Rapid7 CAG Compliance Guide
Rapid7
 
PPTX
What is the UK Cyber Essentials scheme?
IT Governance Ltd
 
PDF
Puwer 98 cb
Clive Burgess
 
PPTX
SANS Report: The State of Security in Control Systems Today
SurfWatch Labs
 
PDF
Cyber Resilience - Contemporary once again for Managing Data Protection post-...
SSF Global
 
PPTX
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
PPTX
Vulnerability Assessment Presentation
Lionel Medina
 
PDF
SplunkLive! Warsaw 2016 - Splunk for Security
Splunk
 
PDF
The uncool-security-hygiene
Thiagu Haldurai
 
PDF
NFA Interpretive Notice on Info Security
Wesley Moore
 
PDF
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
PPTX
Security Kung Fu: Security vs. Compliance
Joshua Berman
 
DOCX
Robert-DOD Project
Robert D. Williams
 
PDF
10 KEYS TO EFFECTIVE NETWORK SECURITY
Razorpoint Security
 
PDF
Insider Threat Detection Recommendations
AlienVault
 
PDF
Complete network security protection for sme's within limited resources
IJNSA Journal
 
Stay out of headlines for non compliance or data breach
Sridhar Karnam
 
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Falgun Rathod
 
Software fmea for medical devices
OnlineCompliance Panel
 
Rapid7 CAG Compliance Guide
Rapid7
 
What is the UK Cyber Essentials scheme?
IT Governance Ltd
 
Puwer 98 cb
Clive Burgess
 
SANS Report: The State of Security in Control Systems Today
SurfWatch Labs
 
Cyber Resilience - Contemporary once again for Managing Data Protection post-...
SSF Global
 
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
Vulnerability Assessment Presentation
Lionel Medina
 
SplunkLive! Warsaw 2016 - Splunk for Security
Splunk
 
The uncool-security-hygiene
Thiagu Haldurai
 
NFA Interpretive Notice on Info Security
Wesley Moore
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Resilient Systems
 
Security Kung Fu: Security vs. Compliance
Joshua Berman
 
Robert-DOD Project
Robert D. Williams
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
Razorpoint Security
 
Insider Threat Detection Recommendations
AlienVault
 
Complete network security protection for sme's within limited resources
IJNSA Journal
 
Ad

Viewers also liked (11)

PDF
Impact of Ground Effect on Circulation Controlled Cylindrical Surfaces
CSCJournals
 
PDF
RPKI: An Operator’s Implementation
MyNOG
 
PPT
Ost Invitation
tjcarter
 
PDF
Brochure E&G Davao
MYD Vietnam
 
PDF
8.QAI-CMMI Dev-V1.3
Mohammad Shahadat Hossain Chowdhury, CSSB,ITIL, PRINCE2
 
PPTX
Xoodax price protection2016
xoodax
 
PPTX
Class session 2.2.16
tjcarter
 
DOC
XIAO PING LIU CV
xiao ping liu
 
PPTX
Real-Time Status Commands
Splunk
 
PPTX
Classroom Activities - Chapter 2
Institude of applied science technology Jahad Daneshgahi (UASTJD)
 
PPTX
Language Curriculum Design - Chapter 9
Institude of applied science technology Jahad Daneshgahi (UASTJD)
 
Impact of Ground Effect on Circulation Controlled Cylindrical Surfaces
CSCJournals
 
RPKI: An Operator’s Implementation
MyNOG
 
Ost Invitation
tjcarter
 
Brochure E&G Davao
MYD Vietnam
 
8.QAI-CMMI Dev-V1.3
Mohammad Shahadat Hossain Chowdhury, CSSB,ITIL, PRINCE2
 
Xoodax price protection2016
xoodax
 
Class session 2.2.16
tjcarter
 
XIAO PING LIU CV
xiao ping liu
 
Real-Time Status Commands
Splunk
 
Classroom Activities - Chapter 2
Institude of applied science technology Jahad Daneshgahi (UASTJD)
 
Language Curriculum Design - Chapter 9
Institude of applied science technology Jahad Daneshgahi (UASTJD)
 
Ad

Similar to 081014 Vulnerability Management - VM Framework Procedural Guidelines 1.0 (20)

PDF
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
PDF
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
PDF
Implementing Vulnerability Management
Argyle Executive Forum
 
PPTX
How to Perform Continuous Vulnerability Management
Ivanti
 
PDF
5 howtomitigate
richarddxd
 
PPTX
Effective Vulnerability Management
Vicky Ames
 
PPTX
Vulnerability_Management.pptx
Shriya Rai
 
PPTX
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
PDF
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
PDF
Patch and Vulnerability Management
Marcelo Martins
 
PPT
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
PDF
Stu w21 a
SelectedPresentations
 
PDF
Monitoring threats for pci compliance
Shiva Hullavarad
 
PDF
Monitoring threats for pci compliance
Shiva Hullavarad
 
PDF
Cost-effective approach to full-cycle vulnerability management
Sasha Nunke
 
PPT
Vuln.ppt
karthikvcyber
 
PPT
Vuln_Man_91003.ppt
KRISHNARAJ207
 
PDF
Vulnerability and Patch Management
n|u - The Open Security Community
 
DOCX
Globally.docx
GermanERuizCorrales
 
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
CISO_Mind_Map_and_Vulnerability_Management_Maturity_Model_1643375178.pdf
SidneyGiovanniSimas1
 
Implementing Vulnerability Management
Argyle Executive Forum
 
How to Perform Continuous Vulnerability Management
Ivanti
 
5 howtomitigate
richarddxd
 
Effective Vulnerability Management
Vicky Ames
 
Vulnerability_Management.pptx
Shriya Rai
 
threat_and_vulnerability_management_-_ryan_elmer_-_frsecure.pptx
ImXaib
 
10 Steps to Building an Effective Vulnerability Management Program
BeyondTrust
 
Patch and Vulnerability Management
Marcelo Martins
 
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Stu w21 a
SelectedPresentations
 
Monitoring threats for pci compliance
Shiva Hullavarad
 
Monitoring threats for pci compliance
Shiva Hullavarad
 
Cost-effective approach to full-cycle vulnerability management
Sasha Nunke
 
Vuln.ppt
karthikvcyber
 
Vuln_Man_91003.ppt
KRISHNARAJ207
 
Vulnerability and Patch Management
n|u - The Open Security Community
 
Globally.docx
GermanERuizCorrales
 

081014 Vulnerability Management - VM Framework Procedural Guidelines 1.0

  • 1. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . Created By: Gregg Jackson For: Sony Pictures Entertainment The information in this document is proprietary, contains trade secrets, commercial, and financial information that is privileged and confidential. No part of this document can be disclosed outside of 120° Venture Construction Inc. or Customer without the direct consent of one of its officers. This document and the information in it cannot be duplicated, used, or disclosed in whole or in part for any purpose other than its original intent. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 1 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved. V U L N E R A B I L I T Y M A N A G E M E N T F R A M E W O R K P R O C E D U R A L G U I D E L I N E S
  • 2. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . Table of Contents 1. INTRODUCTION......................................................................................................................................3 2. VULNERABILITY MANAGEMENT SYSTEM ARCHITECTURE...................................................7 3. VULNERABILITY MANAGEMENT FRAMEWORK ROLES...........................................................9 4. MANAGE POLICIES..............................................................................................................................14 5. ADD ASSET OR NETWORK SEGMENT...........................................................................................16 6. CHANGE OR EDIT ASSET...................................................................................................................18 7. REMOVE ASSET FROM NETWORK..................................................................................................20 8. MANAGE SCANNERS...........................................................................................................................22 9. MANAGE ASSESSMENTS....................................................................................................................24 10. ANALYZE RESULTS, REMEDIATION AND COMPLIANCE VALIDATION.........................27 11. MCAFEE TEST PROCESS....................................................................................................................30 12. MCAFEE DEPLOYMENT PROCESS.................................................................................................32 13. MCAFEE POLICY CHANGES.............................................................................................................34 14. MCAFEE PROACTIVE AND REACTIVE RESOLUTION PROCESS..........................................37 15. APPENDICES ........................................................................................................................................39 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 2 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 3. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 1. INTRODUCTION Vulnerability is defined as a weakness in a network infrastructure that has been exploited by a threat that may potentially destroy, damage, or compromise a network asset. Vulnerability Management is defined as, the overall supervision of vulnerabilities within an organization and how management of those vulnerabilities will be achieved through distribution of duties and configuration of systems to measure compliance against organizational policies. The Vulnerability Management Framework Procedural Guidelines document is established to meet the requirements of the Sony Global Information Security Policy section 10.6, “Technical Vulnerability Management”. The purpose of the Vulnerability Management Framework Procedural Guidelines document is to provide general information about the systems, activities, roles and business rules that support the vulnerability management objective at Sony Pictures Entertainment. 1.1. OVERVIEW The foundation of the Sony Pictures Entertainment (SPE) vulnerability management framework begins with a team of representatives from various Information Technology departments who are tasked to preserve the policies, processes and business rules, and when effectively managed will serve to continuously support the comprehensive systems specifically implemented to reduce the risks associated with vulnerabilities. The Vulnerability Management Framework Procedural Guidelines document exists to support the proposed Vulnerability Management Lifecycle, illustrated below: 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 3 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 4. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 1.2. REVISION HISTORY Version Date Author Details of Change 1.0 10/14/2008 G. Jackson Completed First Draft 1.3. GLOSSARY OF TERMS Vocabulary Definition Accepted Risk Vulnerabilities that will not be remediated for a specific reason. No corrective action is needed for the identified risk. Alternative Policy A set of policy rules for any McAfee products that are considered too significant to be configured as an exception, and are instead setup as an alternative policy. Alternative policies are applied to a defined group of end nodes. Assessment (scan) A methodical evaluation of an organization’s IT weaknesses of infrastructure components and assets and how those weaknesses can be mitigated through proper security controls and recommendations to remediate exposure to risks, threats, and vulnerabilities. Asset An asset is defined as any device that can be connected to network that will result in a connection with an IP address, thus exposing the asset and network to vulnerabilities. Assets make up a Network or Asset Group. Network and Asset Groups are one in the same. Baseline Policy A set of policy rules for any McAfee product deemed to be the set of rules that should be applied to all end nodes. Baseline Report A report providing the baseline knowledge necessary to execute specific vulnerability management activities. Baseline reports may also be used to identify common trends or expose gaps and can be used as a tool to proactively refine the vulnerability management process on an on going basis. Claimed/ Resolved Vulnerabilities that the Remediation Analyst classifies as fixed. Compensating Control An internal control that reduces the risk of an existing or potential control weakness resulting in errors and omissions. Compliance Validation The method in which the Information Security works in collaboration with Internal Audit, VMTF and any other required vulnerability management representatives to review the remediation task disposition and ensure compliance in accordance with GISP Activity Matrix requirements to remediate level 3, 4 and 5 vulnerabilities for external servers and level 4 and 5 vulnerabilities for internal servers. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 4 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 5. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . Vocabulary Definition ePO ePolicy Orchestrator is McAfee’s centralized administration console. Exception Rule Any configured alternative path to a specific rule(s) within a Baseline Policy. False Negative A false negative occurs when a vulnerability exists, but the detection system failed to identify it. False Positive A false positive is a vulnerability that has been reported, but does not exist, because the detection mechanism was in error. HIPS Host Intrusion Prevention System is McAfee’s single console patch management system. McAfee VirusScan 8.5i Is a network internet security product developed by McAfee that provides antivirus protection, secure firewall, and spyware removal. Network Group A customized grouping of IP addresses or assets that together make up a network group. Network Groups are created and categorized to establish user visibility and help ease control and management of all assets from a global perspective. Each region consists of its own network group. Network Group is also commonly called a Network Segment. Penetration test Is a test conducted to identify potential loopholes that may expose a network weakness and when reported and acted on, it will allow application owners to fix the breach before it is can be taken advantage of by an external intruders. Policy Is an organizational rule that when effectively implemented will determine how well physical assets are protected. Preventsys The primary system for scheduling vulnerability scans. In the SPE environment, Preventsys is configured to schedule and trigger the QualysGuard vulnerability scanning (assessments). Preventsys Discovery Scan Scans for the most common TCP and UDP ports thus identifying all of the assets connected to the network at any given time. Preventsys Full Scan A full vulnerability scan targeting TCP and UDP ports. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 5 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 6. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . Vocabulary Definition Preventsys Validation Scan Scans for all tasks that have been set to Claimed /Resolved, Accepted Risk or False Positive. Once the Validation Scan runs, all remediated tasks will be set to be verified. Quality Center TBD QualysGuard The primary system that scans and detects vulnerabilities and policy violations. . In the SPE environment, QualysGuard is configured to search for vulnerabilities on the SPE network and then report the results back to Preventsys for further analysis and initiate remediation activities. Remediation The action taken to reduce; quarantine and remove vulnerabilities from the network. Remedy System Customizable ticket tracking database application. Standard A standard is defined as the actions an organization takes to meet the requirements of a policy. TCP Transmission Control Protocol. A standard essential network communication mechanism. (Refer to Appendix 9.2 ‘TCP and UDP Ports’ for additional information) UDP User Datagram Protocol. A standard essential network communication mechanism. (Refer to Appendix 9.2 ‘TCP and UDP Ports’ for additional information) Vulnerability A weakness in the network infrastructure that may be exploited by a threat that may potentially destroy, damage, or compromise an IT asset. Vulnerabilities are categorized by severity level, with severity level 5 being most critical. Severity level 5 vulnerabilities take precedence during any prioritization assessment of vulnerabilities. The current Vulnerability Management Framework Lifecycle protocol primarily addresses severity level 3, 4 and 5 vulnerabilities and will be adamantly handled accordingly based on diligent risk analysis measures. Vulnerability Management The overall responsibility and management of vulnerabilities within an organization and how that management of vulnerabilities will be achieved through distribution of duties. From a system perspective, currently SPE uses ePO, VirusScan and HIPS to protect workstation and server assets. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 6 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 7. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 2. VULNERABILITY MANAGEMENT SYSTEM ARCHITECTURE 2.1. OVERVIEW To gain a comprehensive understanding of Vulnerability Management, it is initially important to understand the system architecture. The vulnerability management systems are the focal point of vulnerability management and will serve as the primary catalysts to all vulnerability management processes, activities and business rules. Vulnerability Management begins with the Preventsys system which manages scheduling of vulnerability assessments, commonly referred to as vulnerability scans. When Preventsys triggers a scheduled vulnerability scan it sends a command to the QualysGuard system to begin scanning for vulnerabilities. The QualysGuard system completes the scan cycle on a particular network group and then communicates the data results back to Preventsys, thus initiating an analysis of results including prioritization of vulnerabilities based on criticality severity. Subsequently, vulnerabilities are assigned to a Remediation Analyst to begin the remediation and compliance validation processes. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 7 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 8. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 2.2. MCAFEE PREVENTSYS Preventsys is a comprehensive vulnerability management software application that centrally manages vulnerabilities. Preventsys initiates the vulnerability management process by launching scheduled vulnerability scans, also called assessments and accomplishes the following: • Manages assessment scheduling (manual and automated) • Manages security risks across the network, both internal and external • Quickly identifies assets at risk • Produces prioritized remediation tasks based on pre-defined criticality measurements associated to business defined policies • Automatic notification of risk status to management 2.3. QUALYSGUARD QualysGuard Guard is a comprehensive software application that achieves both vulnerability management and policy compliance initiatives. The QualysGuard service accurately detects vulnerabilities and then reports the results back to the Preventsys system as illustrated in the system architectural diagram. QualysGuard service accomplishes the following: • Application specific vulnerability checks • Integrates additional technical compliance components to support process re-engineering and accommodate shifting business objectives • Repeatable risk assessment on the fly 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 8 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 9. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3. VULNERABILITY MANAGEMENT FRAMEWORK ROLES The roles of the vulnerability management team are without a doubt the most important components of the vulnerability management framework. The vulnerability management framework team supports all vulnerability management objectives. Working collaboratively, the following individuals connect the systems, administer the applications and perform the activities of the vulnerability management lifecycle: 3.1. ASSET ADMINISTRATOR • Responsible for maintaining the valid list of IP ranges (Network Group) for all assessment tools. • Works with the regional teams and Site Administrators to maintain the asset inventory in each region. • Responsible for reconciling differences between inventory and discovery scans. • Works with Control Owners and VMTF to define and maintain platform support policy and standards for each domain. • Works with Control Owners and VMTF to define and maintain the standard build and configuration documentation for each domain. 3.2. ASSET OWNER • Responsible for communicating changes of an asset to all applicable vulnerability management personnel, i.e. Change Control, Tool Administrator, VMTF, etc. • Identifies any asset changes and communicates to the Tool Administrator so that the appropriate system updates can be applied accordingly. 3.3. CHANGE CONTROL • Communicates system changes initiated by vulnerability management activities that may impact or disrupt any production processing environment. • Develops and enforces IT Change Control practices, procedures and policies in accordance with GISS/GISP measures. • Communicate vulnerability management system change schedules and corresponding information to impacted customer communities. • Works with Line of Business and application teams to define windows for assessment scans. • Collaborates with Tool Administrators to ensure implementation of assessment scheduling. • Works with Control Owners to ensure coordination of all remediation activities that require an outage outside the standard maintenance schedule. • Works with Asset Administrators to ensure all environment changes are administered to each of the affected asset repositories. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 9 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 10. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3.4. CONTROL OWNER • Will assess results of vulnerability scans to determine remediation activity schedule with Remediation Analyst. • Determines schedule required to remediate level 3, 4 and 5 vulnerabilities. • Provide feedback on any results that warrant additional information prior to executive reporting. • Maintains ownership of specific asset group a.k.a. network groups. • Accountable for remediation of all vulnerabilities within their asset group. • Works with Remediation Analyst in the prioritization of vulnerabilities and assignment of remediation activities. • Responsible for the identification and implementation of compensating controls. 3.5. ENTERPRISE QUALITY ASSURANCE (EQA) • Responsible for ensuring all vulnerability management assessments are performed on applications are part of the SDLC. • Works with application teams to remediate all identified vulnerabilities. • Responsible for QA of all on-going changes to the vulnerability management lifecycle. 3.6. EPO GLOBAL ADMINISTRATOR • Maintains the ePO Server. • Manages ePO policies for all workstation McAfee products. • Manages ePO user access and privileges to ePO for workstation users. • Monitors ePO reports on an ongoing basis. • Identifies issues and trends and resolves issues where appropriate. • Ensures that all assets are on the required version of a McAfee product. • Identifies policy adjustments when necessary. • Coordinates the development of all policy rules with the Site Administrators. • Coordinates with Site Administrators, EQA and Change Control to develop and maintain the global testing and deployment schedule for all McAfee products. • Communicates all baseline policy information and policy changes via the Change Control process. • Ensures that all Quality Center reported issues are tracked and resolved. • Manages all server upgrades and back-end database administration. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 10 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 11. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3.7. GLOBAL SUPPORT DESK (GSD) • TBD 3.8. INTERNAL AUDIT • Periodically reviews the VM lifecycle for compliance with the GISS/GISP measure. • Recommends lifecycle updates to the appropriate Vulnerability Management contact points to facilitate refinement of process re-engineering based on on-going analysis and best practices. 3.9. INFORMATION SECURITY • Responsible for the maintenance of the policy repository. • Responsible for importing and exporting of custom policies in compliance with the GISS/GISP measure. • Ensure accurate GISP/GISS mapping of policies between systems. • Collaborates with the Remediation Analyst to determine methods for reducing the number of false positives. • Ensure the compliance of VM Lifecycle with the GISS/GISP measures. • Facilitates VM lifecycle process review sessions with Internal Audit and Change Control and ensures suggested updates are incorporated into the process. • Develops trend analysis security metric reports to provide visibility and decision support to senior management regarding the state of vulnerabilities and policy violations across SPE's IT landscape. 3.10. NETWORK TEAM • Business Unit specific. Requires definition from the Network Team and executive approval. 3.11. REMEDIATION ANALYST • Ensure assets are compliant. • Remediates vulnerabilities. • Coordinates with McAfee when issues arise. • Works with Control Owner to document remediation plan to be reviewed with Change Control and Enterprise Quality Assurance (EQA) to help determine remediation activities, scheduling, and testing activities. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 11 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 12. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3.12. REPORTING ANALYST • Identifies and defines reporting needs as requested or needed by the business. • Runs Preventsys Reports. • Schedules reports. • Works with stakeholders and Control Owners to manage their reporting needs. 3.13. SITE ADMINISTRATOR • Tests McAfee products within their respective workstation environment including scheduling deployment to test servers, addressing issues reported by testers and users, and reviewing ePO logs for issues. • Reports all issues identified in test via Quality Center. • Ensures that all testing is completed within the agreed upon schedule. • Contributes to the development of the global baseline policy. • Identifies policy expectations specific to region. • Schedules all test, pilot and production deployments via ePO. • Produces and analyzes ePO reports. • Identifies any issues or trends specific to region and remediates systems that are not compliant. • Continued on next page • Reports all issues identified in production to the ePO Global Administrator and the SPE Global Support Desk. • Reviews all ePO communicated events and addresses as appropriate. 3.14. TOOL ADMINISTRATOR • Applies patches and version updates to tools accordingly and in a timely manner. • Performs adhoc vulnerability assessments when requested. • Schedules all vulnerability assessments according to defined business needs. • Manages and maintains Scanner tools • Coordinates activities within scope of responsibilities and communicates to the appropriate vulnerability management team personnel and / or vendors to resolve issues. 3.15. VULNERABILITY MANAGEMENT LIFECYCLE MANAGER • Coordinates with Vulnerability Management Task Force (VMTF) to obtain approval of proposed compensating controls and accepted risks. • Responsible to ensure the implementation of all recommendations of the VMTF. • Responsible to ensure the integrity of the Vulnerability Management Lifecycle. • Works with the VMTF to determine the vulnerability coverage in each execution. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 12 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 13. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 3.16. VULNERABILITY MANAGEMENT TASK FORCE (VMTF) • Working council of stakeholders from each domain and is responsible for maintaining the Vulnerability Management Lifecycle. • Responsible for defining the duration of the VM Lifecycle. • Responsible for approving all policy changes to supporting vulnerability management systems. • Responsible for approving all platform supporting policies for compliance with vulnerability management. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 13 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 14. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 4. MANAGE POLICIES 4.1. OVERVIEW The Sony Pictures Entertainment vulnerability management team will address two kinds of policies, policies used to determine the coverage provided by a vulnerability scan, and policies used to determine the vulnerabilities based on the results and analysis of a vulnerability scan. The process of managing policies is intended to describe how Sony Pictures Entertainment (SPE) IT and Information Security work together to analyze newly created policies and establish the technical standards for supporting the new policies. The proposed process for managing policies is illustrated in section 4.4 4.2. SYSTEMS • Preventsys Preventsys maps vulnerability data to specific Global Information Security Policies (GISP). This information is used to report on corporate compliance with the GISP. 4.3. ROLES • Tool Administrator – Responsible for updating and maintaining policies within vulnerability management systems. • Information Security • Change Control – Adheres to current Change Control procedures. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 14 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 15. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 4.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 4.5. BUSINESS RULES DESCRIPTION 1 All SPE GISP policies defined will be reviewed by Information Security first. 2 IT Architecture and Governance will identify the IT staff responsible for establishing the technical standard by which the policy will be implemented. 3 Information Security will validate that all IT technical standards support the policy. 4 VMTF will review and approve proposed policies and determine the technical standards needed. NOTE: Any technical standard that impact the system to a high degree will be assessed thoroughly and if required will be channeled through Change Control. 5 VMTF will determine the timeframe by which a policy must be implemented. 6 The IT staff are responsible for implementing all approved technical standards 7 All approved policies will be posted on the intranet site. 8 IT and Information Security must agree to the schedule for implementing a newly defined policy and the technical standards that will support the policy. 9 Information Security will obtain corporate approval of the schedule to implant all technical standards. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 15 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 16. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 5. ADD ASSET OR NETWORK SEGMENT 5.1. OVERVIEW Assets are categorized as physical assets and logical assets. Some examples of physical assets include routers, firewalls, servers, workstations and laptops. Logical assets include websites, applications and databases. An asset is one where as a network segment is a grouping of assets. An example of a network segment is if SPE conducts testing on a potential new application in a testing lab and it requires eight testing workstations. The vulnerability management objective is concerned with all assets that connect to the SPE network internal or external and it is important that all new assets and network segments are properly added to the Preventsys system so that SPE and the vulnerability management team can successfully track, monitor and maintain assets. To manage new assets or network groups connected to the SPE network, the Remedy system will be the proposed system of choice to facilitate tracking and history. The proposed process for adding an asset or network group is illustrated in section 5.4 5.2. SYSTEMS • Remedy • Preventsys 5.3. ROLES • Asset Owner - Responsible for opening a Remedy ticket when a new asset or network segment needs to be connected to the network. • Tool Administrator - Responsible for adding the asset or network segment to the Preventsys system and maintaining the policies of the asset per asset category requirements. The Tool Administrator is also responsible for immediately scanning the new asset or network segment for vulnerabilities. • Change Control – Adheres to current Change Control procedures. • VMTF • Network Team – Adheres to current business practices. • Remediation Analyst – Responsible for remediating any vulnerabilities identified. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 16 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 17. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 5.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 5.5. BUSINESS RULES STEP DESCRIPTION 1 All requests for IP addresses will be initiated via the Remedy system 2 All requests for network segments will be initiated via the Remedy system. 3 All newly assigned IPs and network segments will be communicated to the requestor, Tool Administrator, Change Control and Asset Owner (if not the requestor). 4 All new network segments and assets will be immediately scanned. 5 Asset support policies will be maintained for each category of assets on a day to day basis. 6 Rogue assets that are discovered on the network need to be registered and properly channeled through the Remedy system. 7 Each business unit must identify information assets in its possession and draw up and maintain an inventory of all important assets. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 17 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 18. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 6. CHANGE OR EDIT ASSET 6.1. OVERVIEW Considering the evolving business needs existing in the Sony Pictures Entertainment environment, assets change frequently and it is important that the applicable roles of the vulnerability management team pay meticulous attention this occurrence and administer a plan to properly track, test, and control changing assets. The proposed process is illustrated in section 6.4 High-Level Process Flow Diagram. 6.2. ROLES • Asset Owner - Responsible for opening a Remedy ticket when an asset or network segment needs to be technically changed or changes classification (category) • Tool Administrator - Responsible for updating the policies associated with the asset or network segment, if applicable. Also responsible for immediately scanning the asset or network segment for vulnerabilities. • Change Control – Adheres to current Change Control procedures. • VMTF • Network Team – Adheres to current business practices. • Remediation Analyst – Responsible for remediating any vulnerabilities identified. 6.3. SYSTEMS • Preventsys • Remedy 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 18 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 19. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 6.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 6.5. BUSINESS RULES DESCRIPTION 1 Preventsys will be configured to automatically notify the Tool Administrator when vulnerabilities are present. 2 The Asset Owner will open a Remedy ticket any time their asset changes. 3 The Remediation Analyst will remediate any vulnerabilities identified. 4 The Tool Administrator will apply the necessary policy updates to Preventsys based on the asset category. 5 The Network Team, Change Control and VMTF will be notified of any asset change based on proper assessment and impact to the network. 6 < insert additional Business Rule identified > 7 < insert additional Business Rule identified > 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 19 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 20. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 7. REMOVE ASSET FROM NETWORK 7.1. OVERVIEW The Preventsys system stores the assets that are part of a specific network group so that they can be routinely scanned for vulnerabilities. If an asset is no longer connected to the network, it will be time consuming and difficult to track the asset. An asset may be removed from the network to undergo a hardware upgrade or permanently removed from the network; regardless of the scenario it is essential that communication and proper procedures are followed to help manage this process. Illustrated in section 7.4 is the proposed process for removing an asset from the network. 7.2. ROLES • Change Control – Adheres to the current Change Control procedures. • Tool Administrator – Responsible for removing the asset from the network group within Preventsys and then performing a discovery scan to make sure that the removed asset does not appear when results are returned. • Asset Owner – Responsible for opening a Remedy ticket to properly communicate the business need for removing the asset and to ensure that the asset is tracked and reported for historical purposes and audit. 7.3. SYSTEMS • Remedy • Preventsys 7.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 20 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 21. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 7.5. BUSINESS RULES DESCRIPTION 1 The Tool Administrator will remove the asset from Preventsys immediately upon notification. 2 The Asset Owner will be responsible for opening a Remedy ticket when removing an asset. 3 A report will be produced that captures the asset history for audit trail purposes. 4 < insert additional Business Rule identified > 5 < insert additional Business Rule identified > 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 21 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 22. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 8. MANAGE SCANNERS 8.1. OVERVIEW Sony Pictures Entertainment currently uses the QualysGuard system to perform vulnerability assessments. As previously documented, the Preventsys system triggers the QualysGuard system to perform the vulnerability assessment. QualysGuard is customized with specific policies to identify vulnerabilities and check for common threats that exists in today’s networking world. Albeit, every organization configures their systems differently based on the nature of the business, but most organizations practice many of the same methods to help manage and maintain their vulnerability management systems. Outlined below in sections 8.2 Role and 8.3 System Management is a detailed listing of the proposed responsibilities, activities and scheduling to facilitate scanner management. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 22 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 23. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 8.2. ROLE • Tool Administrator o Responsible for customizing each tool with SPE policies and standards in accordance with GISP o Responsible for maintaining each tool on a continuous basis to ensure protection of the SPE network infrastructure. o Serve as the primary point of contact for all scanner device issues and will communicate with the vulnerability management team on an as needed basis. o Required to contact the respective tool vendor to resolve any issues that cannot be resolved internally contingent upon initial thorough analysis. o Ensures that the device is on and properly functioning and meeting performance expectations 24 hours a day 7 days a week. o Manages licensing of each tool to ensure that the device is up to date. o Communicates all maintenance related tasks to Change Control such as applying security patches or version updates, configuration changes and enhancement requirements per policy and standard update priority. 8.3. SYSTEM MANAGEMENT DEVICE ACTIVITY SCHEDULE COMMENTS QualysGuard < insert associated business activity > <system defined format> Preventsys < insert associated business activity > <system defined format> 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 23 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 24. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 9. MANAGE ASSESSMENTS 9.1. OVERVIEW Vulnerability Assessments analyze the security of the SPE network and are configured within the Preventsys system. When Preventsys launches or schedules vulnerability assessments, the QualysGuard service safely and accurately detects vulnerabilities using its inference-based scanning engine, an adaptive process that intelligently runs only tests applicable to each host scanned. The QualysGuard service first gathers information about each host, such as its operating system and version, ports and services, and then selects the appropriate test modules. This information is then reported back to Preventsys for analysis, remediation management and reporting. The following is a list of scans that will be routinely performed based on the agreed schedule: • Discovery – Scans TCP and UDP ports. This scan does not analyze for full vulnerabilities but only reports what is commonly known as informational vulnerabilities that give indication of the type of server the scanned system may be. This scan is useful in determining the Operating Systems running on a server, thus would be beneficial when administering policies. • Lite – Scan is configured per business need requirements. • Preventsys Full Scan – Scan is configured per business need requirements. • Database – Scans for vulnerabilities at the database port level. • Preventsys Validation Scan - Scans for all tasks that have been set to Claimed /Resolved, Accepted Risk or False Positive. Once the Validation Scan runs, all remediated tasks will be set to be Claimed/Resolved. The diagram illustrated in section 9.4 below is a high-level proposed process flow of the steps required to effectively manage vulnerability assessments. 9.2. SYSTEMS • Preventsys 9.3. ROLES • Tool Administrator 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 24 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 25. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 9.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 9.5. BUSINESS RULES DESCRIPTION 1 When scheduling a vulnerability assessment, the format of the date and time must be yyyy-mm- ddTHH:mm:ss (for example, 2004-07-27T22:36:20) and is always in GMT. 2 The business unit control owners will determine when to run a vulnerability assessment 3 The Tool Administrator will ensure that the QualysGuard results accurately populate to Preventsys. 4 Only servers that are categorized into a network group will be targeted for vulnerability assessments. 5 Servers IP addresses will be set up into a Network Group based on the combination of physical asset and operating system. 6 If a server has multiple IP addresses, the Asset Owner must identify the single instance of IP address and Operating System that should be assigned to a network group and targeted for vulnerability assessments. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 25 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 26. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 9.6. ASSESSMENT SCHEDULE ASSESSMENT NAME TYPE NETWORK GROUP SCHEDULE COMMENTS 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 26 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 27. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 10. ANALYZE RESULTS, REMEDIATION AND COMPLIANCE VALIDATION 10.1. OVERVIEW The ability to analyze and prioritize vulnerabilities based on criticality level and at the same time evaluate the impact to the business can be difficult. Although a vulnerability’s criticality level may be justifiably accurate when it is reported back into the Preventsys system, there will be many instances where it will be difficult to assess and classify the vulnerability. Those instances will require meticulous assessment and possibly a review session involving several vulnerability management team members. The proposed activities to help manage this process are illustrated in section 10.4 High-Level Process Flow Diagram. 10.2. ROLES • Control Owner • Remediation Analyst • Reporting Analyst • Information Security 10.3. SYSTEMS • Preventsys 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 27 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 28. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 10.4. HIGH-LEVEL PROCESS FLOW DIAGRAM 10.5. BUSINESS RULES DESCRIPTION 1 A global vulnerability scan will be run every month, and vulnerabilities must be remediated and in compliance on a quarterly basis. (The business shall establish a quota guideline in relation to the number or percentage of vulnerabilities that must be in compliance within the 90 day period) 2 The vulnerability scan cycle is as follows: Day 0: Baseline results that must be remediated on Day 90 Day 30: Opportunity 1 to verify remediated vulnerabilities Day 60: Opportunity 2 to verify remediated vulnerabilities 3 Remediation tasks will be assigned by a member of the server team responsible for the server, or automatically (per business rules provided by the applicable server team) 4 Compliance of vulnerabilities will be achieved within 90 days of the Day 0 scan. (The business shall establish a quota guideline in relation to the number or percentage of vulnerabilities that must be in compliance within the 90 day period). 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 28 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 29. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . DESCRIPTION 5 An executive report will be produced for the Day 0 vulnerability scan and the Day 90 vulnerability scan. 6 Vulnerabilities identified as Accepted Risk or False Positives must be accompanied with an explanation regarding the status and clearly defined in the Preventsys system. 7 During Compliance Validation, the (TBD) will review and approve Accepted Risks or False Positives. 8 When Preventsys remediation tickets are automatically generated after each assessment, they must be assigned to a Remediation Analyst within (X) amount of time. 9 Remediation activities will require adherence to the change control process. 10 Remediation reporting and trending analysis should be regularly checked by business unit control owners. 11 Reports should be saved in .PDF format prior to publishing. 12 Information Security must review scan data for accuracy and validate that the data meets compliance audit standards. 13 Business unit owners must review scan data for accuracy. 14 All vulnerabilities and violations with a criticality level of 70 or higher will be assigned immediately to a Remediation Analyst. 15 All vulnerabilities and violations with a criticality level of 69 or lower will be assigned, but will be lower priority to 70 or higher vulnerabilities. 16 No vulnerability will be unassigned. 17 The Control Owner will assess the results of each vulnerability test, and will provide feedback on any results that warrant additional information prior to executive reporting. 18 Remediation plans will be reviewed with Change Control to schedule remediation activities when necessary. 19 Validation scans will be run every 3 weeks. 20 After each Validation Scan is performed, all assigned tasks that are not already set to Claimed/Resolved, Accepted Risk or False Positive should be set to Claimed/Resolved. 21 Remediation Task due dates will be scheduled by the Control Owner. 22 Remediation Tasks will be closed by the person assigned to the task. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 29 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 30. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 11. MCAFEE TEST PROCESS 11.1. OVERVIEW As is the case for any software application, McAfee products are frequently updated and require the appropriate personnel to administer the updated patches and install new versions. In section 11.3 below, a proposed process is illustrated to ensure that the appropriate personnel are accountable for the activities involving testing of new patches or versions of McAfee products and subsequently, the appropriate communication protocols are followed so that all impacted vulnerability management team members are well informed. 11.2. ROLES • Tool Administrator • Information Security • ePO Global Administrator • Site Administrator 11.3. HIGH-LEVEL PROCESS DIAGRAM 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 30 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 31. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 11.4. BUSINESS RULES DESCRIPTION 1 The Tool Administrator will update the appropriate McAfee product on as needed basis. 2 Prior to releasing any updates to a McAfee product the ePO Global Administrator will communicate to all impacted vulnerability management team personnel. 3 Prior to releasing any updates to production, any McAfee update version or patch will be thoroughly tested. 4 The ePO Global Administrator will notify Change Control and Site Administrators immediately after the change is implemented. 5 < insert additional Business Rule identified > 6 < insert additional Business Rule identified > 7 < insert additional Business Rule identified > 8 < insert additional Business Rule identified > 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 31 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 32. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 12. MCAFEE DEPLOYMENT PROCESS 12.1. OVERVIEW Subsequent to testing of a McAfee product, the appropriate vulnerability management team members will engage in a deployment process to ensure the implementation is performed efficiently and has minimal disruption to the normal courser of vulnerability management activities. Section 12.3 illustrates the proposed process for managing deployments of McAfee products. 12.2. ROLES • Site Administrator • ePO Global Administrator • Change Control 12.3. HIGH-LEVEL PROCESS DIAGRAM 12.4. BUSINESS RULES DESCRIPTION 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 32 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 33. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 1 2 3 4 5 6 7 8 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 33 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 34. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 13. MCAFEE POLICY CHANGES 13.1. OVERVIEW 13.2. ROLES • Site Administrator • ePO Global Administrator • Change Control 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 34 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 35. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 13.3. HIGH-LEVEL PROCESS DIAGRAM 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 35 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 36. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 13.4. BUSINESS RULES DESCRIPTION 1 Policy changes are made by the ePO Global Administrator only. 2 A baseline policy shall be implemented by all regions. 3 Any exception to the baseline policy shall be configured as an exception rule in ePO rather than an alternative policy (Unless it is determined that an alternative policy is necessary). 4 Site Administrators are responsible for the management of an alternative policy, if it is determined that it does not apply globally, otherwise the ePO Global Administrator will be responsible. 5 Site Administrators will complete testing within the agreed upon timeframe 6 7 8 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 36 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 37. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 14. MCAFEE PROACTIVE AND REACTIVE RESOLUTION PROCESS 14.1. OVERVIEW Management of any organization would mutually agree that a proactive approach spending some time routinely assessing procedures in any new process and discussing ideas for process improvement would help to avoid unforeseeable issues and be beneficially cost effective. 14.2. ROLES • Site Administrator • ePO Global Administrator • Global Support Desk (GSD) 14.3. HIGH-LEVEL PROCESS DIAGRAM 14.4. BUSINESS RULES DESCRIPTION 1 2 3 4 5 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 37 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 38. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 38 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.
  • 39. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C . 15. APPENDICES 15.1. VULNERABILITY MANAGEMENT FRAMEWORK TEAM Region Contact Department Role Phone E-Mail Asia Pacific TBD North America TBD Latin America TBD UK TBD 15.2. TCP AND UDP PORTS 15.2.1. TCP Ports TCP stands for Transmission Control Protocol. Using this method, the computer sending the data connects directly to the computer it is sending the data it to, and stay connected for the duration of the transfer. With this method, the two computers can guarantee that the data has arrived safely and correctly, and then they disconnect the connection. This method of transferring data tends to be quicker and more reliable, but puts a higher load on the computer as it has to monitor the connection and the data going across it. A real life comparison to this method would be to pick up the phone and call a friend. You have a conversation and when it is over, you both hang up, releasing the connection. 15.2.2. UDP Ports UDP stands for User Datagram Protocol. Using this method, the computer sending the data packages the information into a nice little package and releases it into the network with the hopes that it will get to the right place. What this means is that UDP does not connect directly to the receiving computer like TCP does, but rather sends the data out and relies on the devices in between the sending computer and the receiving computer to get the data where it is supposed to go properly. This method of transmission does not provide any guarantee that the data you send will ever reach its destination. On the other hand, this method of transmission has a very low overhead and is therefore very popular to use for services that are not that important to work on the first try. A comparison you can use for this method is the plain old US Postal Service. You place your mail in the mailbox and hope the Postal Service will get it to the proper location. Most of the time they do, but sometimes it gets lost along the way. UDP Ports are used for connections that don’t necessarily need to response from the client, such as streaming video. 401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc Template 080825 39 of 39 Printed: 4/7/2016 © 2008 120VC Holdings, Inc. All rights reserved.