|
Network Administration Group
|
|
|
Quick links
|
|
|
|
Procedures for Implementing Vulnerability Policy
The following are the procedures to be followed to implement the
policy on vulnerability management with respect to devices
allowed to receive network traffic initiated by other devices
outside the ENCS network:
- All security holes will be reported by e-mail to RP,
Admin and User recorded in the network database.
- Machines with already exploited holes will have their
network connection blocked, or will be placed in "network
quarantine", depending on the severity of the case.
- If a machine/port has a remotely exploitable hole
allowing execution of arbitrary code and for which
an exploit is known to be publicly available, it will
be blocked at the firewall immediately, and
accessibility only reestablished when the vulnerability
no longer exists.
- If a machine/port has a remotely exploitable hole
allowing execution of arbitrary code and for which no
exploit is known to be publicly available, the RP/Admin/User
will be allowed a grace period of 5 working days
to fix the problem. If after the grace period, the
vulnerability still exists, the RP/Admin/User will be
notified by e-mail and the access to the vulnerable port(s)
will be blocked at the firewall, with accessibility only
reestablished when the vulnerability no longer exists.
- If a machine/port has a vulnerability that is NOT
remotely exploitable, or does NOT permit the execution of
arbitrary code, the RP/Admin/User will be allowed a grace
period of 30 days to fix the problem. If after
the grace period, the vulnerability still exists, the
RP/Admin/User will be notified by e-mail and the access
to the vulnerable port(s) will be blocked immediately at
the firewall, with accessibility only reestablished when
the vulnerability no longer exists.
- Outward-facing ports must permit Nessus scans;
if no Nessus scan is accepted for 30 days, the
firewall exception for that port is removed.
- In individual cases, full-time AITS network
administration staff and full-time faculty
members may together negotiate modifications to the terms,
conditions, of procedures above, with the modifications
recorded in an RT ticket.
- Notwithstanding any of the articles above, AITS staff
may, as permitted in their mandate, take any special
action required to protect the security and integrity of
the ENCS network.
- A dispute regarding the application of policy as
expressed above may be brought by a faculty member to
the Director or the Associate Director of AITS for timely
resolution.
Author: Michael Assels
Credits: Anne Bennett, Joel Krajden
Last update: 2014/09/19 -- Michael Assels
|