South Plains College

Information Services (SPC-IS)

Vulnerability Scanning Standard: I-E(d)

Purpose and Benefits

South Plains College utilizes automated tools to scan systems, computing and network devices, web applications, and code. The results of these scans help inform management and system administrators of known and potential vulnerabilities.

Vulnerability management is a process by which the vulnerabilities identified through scanning are tracked, evaluated, prioritized, and managed until the vulnerabilities are remediated or otherwise appropriately resolved. Managing the vulnerabilities identified during scans ensures that appropriate actions are taken to reduce the potential that these vulnerabilities are exploited and thereby reduce the risk of compromise to the confidentiality, integrity, and availability of information assets.

Information Statement

The Information Security Policy: I-A states that all systems must be scanned for vulnerabilities. Each system must also be inventoried, and an individual or group must be responsible for maintenance and administration.

Types of Scans

The type of vulnerability scans appropriate for a given target depends on the target type (e.g., hardware, software, or source code) and the target’s location (e.g., internal or external to the network). The table below lists the types of vulnerability scans required by this standard.

 

Type

Description

External Infrastructure Scan

Scans of the perimeter of networks or any externally available hosted infrastructure to identify potential vulnerabilities in Internet-accessible IT infrastructure.

Internal Infrastructure Scan

Scans of IT infrastructure on protected networks or any hosted infrastructure to identify potential vulnerabilities.

“Lite” Web Application Scan

Cursory unauthenticated scans of externally facing production web applications to identify security vulnerabilities.

In-depth Web Application Scan

When implemented, authenticated in-depth scans of web applications to identify security vulnerabilities.

Application Source Code Analysis

Scans of application source code run during development to identify problems in the code that could cause potential vulnerabilities.

 

Scanning

The ISO is responsible for confirming that vulnerability scans are conducted. SPC must use a scanning tool approved by the ISO or designated security representative. Any approved scanning tool must be able to provide remediation suggestions and associate a severity value to each vulnerability discovered based on its relative impact on the affected system. 

As per the Information Classification Standard: I-F, scan reports are classified with moderate confidentiality and integrity and should be protected.

SPC-IS must provide the ISO or designated security representatives with all external IP addresses and Uniform Resource Locators (URLs) for all externally facing web applications.

Network and system administrators must provide sufficient access for the vulnerability scan engine to scan all system services. No devices connected to the network shall be specifically configured to block vulnerability scans from authorized scanning engines.

Scans must be performed within the system development life cycle (see SSDLC Standard: I-E) while in pre-deployment environments when deployed into the target implementation environment and periodically after that as specified below:

  1. Pre-deployment scans occur before the move of the system or web application to the target implementation environment:
  1. All systems must undergo an authenticated internal infrastructure scan, where technically feasible or required, before being deployed to the target implementation environment. Any infrastructure vulnerability discovered must be remediated or determined to be a false positive or insignificant risk by the Information Security Officer (ISO) or designated security representative before the system is deployed for the intended use.
  2. When source code is available, applications must undergo source code scanning before the updated code moves into the target implementation environment if the application code has changed.
  3. Scans must be authenticated when the application requires authentication before being deployed into the target implementation environment or into an environment that is externally accessible. When authentication is required to access the application, scans must be run with authenticated access at each access level (e.g., user, admin) supported by the application, except where limitations in the tool prevent authenticated scanning. Any web application vulnerability discovered must be remediated or determined to be a false positive or insignificant risk by the ISO or designated security representative before the system is placed into the target implementation environment. 
  4. Any system or application deployed to its target implementation environment with un-remediated vulnerabilities must have a formal remediation plan and the documented approval of the executive responsible for risk management or their designee.
    1. Implementation scans occur the first time a system or web application is moved to its target implementation environment:
  5. Systems must be scanned immediately upon being placed into the target implementation environment with an authenticated internal infrastructure scan, where technically feasible or required. If the system is accessible from the Internet or an external network, it must be scanned with an external infrastructure scan.
  6. Web applications must be scanned within the first month of being placed into the target implementation environment. If feasible, an authenticated in-depth web application scan is required, but at minimum, a “lite” scan is needed. The application's sensitivity and criticality must be considered when determining the schedule for the initial implementation scan.
    1. Recurring Scans: After the initial scan in the target implementation environment, the frequency of scans is to be determined according to the system or application’s risk rating (see Table 2).
  7. When performing internal infrastructure scans on systems built using a shared image, such as workstations, scans may be run on a sampling of systems, but the sample set must vary from scan to scan.
  8. Production web applications must undergo recurring scans, at minimum recurring “lite” application scans.
  9. All vulnerabilities found during scans must be addressed per the remediation section

Determine Risk Rating and Frequency of Scans

The risk that vulnerabilities pose to systems and applications is based on the likelihood of a vulnerability being exploited and the impact of the information assets' confidentiality, integrity, or availability being compromised. The possibility of a vulnerability being exploited is increased in direct relation to the system’s or application’s accessibility from other systems.

The impact on information assets is based on their information classification (see Information Classification Standard: I-F). Suppose confidentiality, integrity, or availability is compromised. In that case, the impact (i.e., high, moderate, or low) must be considered, and the highest individual impact rating for confidentiality, integrity, or availability is utilized within the table below.

Table 2: RISK RATING

Impact

(Confidentiality, Integrity, Availability)

Exposure

Systems with no network connectivity to production data

           

Systems with network connectivity to production data (not internet-facing)

A system that is publicly available on the internet

High

Medium

High

High

Medium

Low

Medium

High

Low

Low

Low

Medium

The minimum frequency of scans is dependent on the risk rating. Systems without a risk rating must be scanned as if they had a " High " risk rating until they are rated.

 

 

 

TABLE 3: FREQUENCY OF SCANS

Risk Rating

Frequency

Infrastructure scans

High

Monthly

Medium

Quarterly

Low

Semi-annually

Web Application Scans

High

Quarterly or after a significant change

Medium

Semi-annually

Low

Annually

 

Remediation

Vulnerabilities discovered during scans must be remediated based on risk rating (see Table 2) and vulnerability severity identified by the scanning tool as per the table below.

TABLE 4: REMEDIATION TIMEFRAMES

Risk Rating (from Table 2)

Vulnerability Severity

Low or Below

Above Low to Below High

High or Above

High

At the discretion of the ISO/designated security representative

Action Plan in 2 Weeks, Resolved in 6 Months

Action Plan in 1 Week, Resolved in 1 Month

Medium

At the discretion of the ISO/designated security representative

Action Plan in 3 Weeks, Resolved in 1 year

 Action Plan in 2 Weeks, Resolved in 6 Months

Low

At the discretion of the ISO/designated security representative

At the discretion of the ISO/designated security representative

Action Plan in 3 Weeks, Resolved one year

The ISO or designated security representative may review vulnerabilities to adjust the severity rating.  Testing must be done to verify that remediation has been completed.

Individuals managing vulnerability scans must notify the ISO or designated security representative within one business day of scan completion for new vulnerabilities and at least monthly for vulnerabilities not remediated on systems or applications running in production.

The ISOs or designated security representatives must notify management of vulnerabilities not addressed in the timeframes prescribed in this standard so that the appropriate party can accept the risk.

Compliance

This standard shall take effect upon publication. Compliance is expected with all enterprise policies and standards.  Policies and standards may be amended at any time; compliance with amended policies and standards is expected.

If compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a business function, Entities shall request an exception through the Chief Information Security Officer’s exception process.

Related Documents

1 TAC § 202.74 (a)(2)

 

Patch Management Standard: I-E(b)

An index of approved SPC-IS policies can be found on the SPC Policies website at http://www.southplainscollege.edu/human_resources/policy_procedure/?%20.  The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.

Texas Security Controls Standards Catalog Control Group: CA-8, RA-5

NIST Function Groups: DE.AE-3, DE.CM-1, DE.CM-4, DE.CM-7

 

 

Section A: District Legal Status, History and Purpose

AA. College District Legal Status and History (BP)
AB. College Name (BP)
AC. System of Governance (BP)
AD. College District Geographic Boundaries and Service Area (BP)
AE. Educational Role and Mission, Purpose and Responsibility (BP)
AF. Vision Statement and Organizational Values

Section B: Governance, Executive Functions and Organization

BA.   Purpose, Powers and Responsibilities of the Board
BAB. Specific Duties of the Board (BL)
BAC. Rights and Responsibilities of the Board (BL)
BB.   Eligibility and Qualifications for Serving on the Board of Regents (BL)
BBA. Election of Board Members (BL)
BBB. Orientation and Professional Development of Board Members (BL)
BBC. Election of Board Officers (BL)
BBD. Duties of the Chairman of the Board (BL)
BBE. Duties of the Vice Chairman (BL)
BBF. Duties of the Secretary (BL)
BC.   Regular Board Meetings (BL)
BCA. Special Meetings (BL)
BCB. Official Business at Regular and Special Meetings (BL)
BCC. Quorum Necessary for Transaction of Business (BL)
BCD. Order of Business (BL)
BCE. Rules of Order (BL)
BCF. Public Participation (BL)
BCG. Board Self Evaluation
BD.   Board Committees (BL)
BE.   Conventions, Conferences and Workshops (BP)
BF.   Policy and By-Law Development (BP)
BFA. Amendments to the By-Laws (BL)
BG.  Board Member Statement of Ethics
BGA. Standards of Conduct and Conflict of Interest
BGAA. Conflict of Interest Disclosure
BGB. Code of Ethics (BP)
BH.  Board Vacancies
BHA. Removal from Office
BI.   Employment of the College President (BL)
BIA. Qualifications of the President (BP)
BIB. The College President as the Executive Officer (BP)
BIC. Evaluation of the President (BP)
BID. Administrative Organization Plan (BP)
BIDA. College Organizational Chart (PDF file opens with Acrobat Reader, 380kb)
BIE. Administrative Rules and Regulations (BP)
BIF. Planning and Institutional Effectiveness (BP)
BJA. Employment of Independent Auditor (BP)
BJB. Employment of College Attorney (BP)
BJC. Selection of Chief Tax Officials (BP)
BK. Relationship between South Plains College and the South Plains College Foundation, Inc. (BP)
BKA. Foundation Administration and Investment of Funds (BP)
BKB. Use of Employees or Property of the College by the Foundation (BP)
BKC. Officer/Director of the College (BP)
BKD. Acceptance of Gifts by the College (BP)
BL. Accreditation (BP)
BLA. Substantive Change

Executive Officers of the College
BMA. Vice President for Academic Affairs
BMB. Vice President for Student Affairs
BMC. Vice President for Business Affairs
BMD. Vice President for Institutional Advancement
Instructional Deans of the College
BME. Dean of Arts and Sciences
BMF. Dean of Health Sciences
BMG. Dean of Technical Education
BMH. Dean of Dual Credit & Early College Programs
Student Services Deans of the College
BMI. Dean of Enrollment Services
BMJ. Dean of Students
BMK. Associate Dean of Students
BN.   Executive Council
BO.  Administrative Council
BP.  Advisory Board By-Laws
BQ. Technical Advisory Committee By-Laws

Section C: Business Services

CA. The College Budget (BP)
CB. Purchase of Supplies and Equipment for the College (BP)
CBA. Purchasing Operating Policy
CBB-E. Price Quote/Bid Certificate
CBC. Food Purchase Policy
CBE. Procurement Card Policy
CBF. Computer and Electronic Device acquisition Policy
CC. Service and Repair of College Equipment
CD. Use of College Facilities
See Policy GD Use of College Facilities, Including Athletic and Recreational Facilities (BP)
CE. Monthly Salary Payments
See Policy DR Compensation Schedule and Options (BP)
CF. Removal of College Property from Campus
See Policy GDB Loan or Rental of College-Owned Equipment and Tools (BP)
CG. Travel Policies and Procedures
CGC-E. Travel Report-Technical Division
CGD. Vehicle and Bus Driver Policy
CGE. Travel Card Guide
CH. Joint Property Rights
CI. Telephone/Voice Mail Use
CIA. Guidelines for Setting up Voice Mail
CI.28 Privacy Policy
CI.28.1 Web Site Privacy
CI.28.2 Merchant Card Policy
CJ. Technology Acceptable Use Policy
CJ-E. E-mail Application
CJA. Electronic Messaging (all@SPC) Policy
CK. College Depository
CL. Disposal of Property
CM. Records Management Program
CMA. Records Management Schedule
CMB. Records Management of Deceased Person
CN. Internal Audits
CO. Collection of College Funds
CP. Inventory of College Equipment
CQ. Investment Management (BP)
CR. Architectural Styling, Naming of Buildings and Plaques
CRA. Naming of Buildings and College Property
CS. Financial Management of Grant Funds

Section D: Personnel

DA. Affirmative Action Plan (BP)
DAA. Americans with Disabilities Act
DB. Non-Discrimination Policy (BP)
DBA. Protection of Rights and Development
DBC. Conflict of Interest Policy
DBC-E. Disclosure Form
DBD. Intellectual Property Policy
DBDA. Student Intellectual Property Rights
DBE.  Copyright/Patent Fair Use Policy
DC. Grievance Procedure
DD. Replaced by DDA
DDA. Sexual Harassment Policy
DDB. Racial Harassment Policy
DDC. Due Process (Dismissal/Non-Renewal)
DDD. Corrective Action
DDE. Employee Conduct and Work Rules
DDEA. Smoking in the Workplace (See Policy GF)
DDF. Personal Appearance
DDG. Workplace Violence/Firearms (See Policy HHA)
DE. Substance Abuse Policy
DEA. Substance Abuse Program Implementation
DF. Employment Procedures
DFA-E. Personnel Requisition
DFB-E. Personnel Action Form
DFD-E. Affirmative Action Letter
DFE-E. Employment Application
DFEA-E. Supplement to Professional Application
DFF-E. Approval Notice and Status Change Notice
DFG-E. Application for Classified Positions
DFH-E. Part-Time Teaching Applicants
DFJ. Nepotism (BP)
DFK-E. Oath of Office Form
DFL. Definitions of Employment Status
DGA. Personnel Records and Privacy
DH. Employee Benefits Plan (BP)
DHA. Employee Benefits Program
DHAA. Sick Leave
DHB. Worker Compensation and Sick Leave
DHBA. Maintaining a Safe Work Environment
DHBB. Accident/Injury Reports
DHC. Disability Policy (BP)
DHDA. Family and Medical Leave of Absence
DHDA-E. FLMA Checklist
DHE. Personal Leave
DHF. Bereavement Leave
DHG. Professional Development Travel (BP)
DHGA. Professional Leave Approval
DHH. Professional Development Leave, Faculty (See Section 5.4 of Faculty Handbook)
DHI. Leave of Absence (BP)
DHJ. Military Leave (BP)
DHK. Vacations
DHL. Jury Duty
DHM. Group Insurance
DHN. Tax Sheltered Annuity
DHNA. South Plains College Pension Trust Fund
DHOA. Payroll Deduction
DHP. Definitions of Payroll/Personnel Actions
DI. Retirement Policies
DIA. Texas Teacher Retirement System
DIB. Optional Retirement Program (BP)
DIC. Medical Benefits Following Retirement
DID. Retirement Recognition
DIDA-E. Retirement Award
DIE. Retiree use of College Facilities
DL. Outside Employment of Faculty and Staff (BP)
DM. University Interscholastic League (UIL) Assignments and Responsibilities
DN. Parking Regulations
DO. Facility Access
DOA-E. South Plains College Key Request Form
DP. Building Security
DQ. Personnel Classifications
DQA. Employee Handbook, General
DQG. Handbook Supplement, Classified Part-Time (Class A)
DQH. Handbook Supplement, Classified Part-Time (Class B)
DQI. Handbook Supplement, Classified Full-Time (Class C)
DQJ. Handbook Supplement,  Maintenance and Custodial Personnel
DQK. Handbook Supplement, Police Officers
DQL. Handbook Supplement, Dorm Supervisor
DR. Compensation Schedule and Options (BP)
DRA. Salary Increases and Supplements (BP)
DRB. Holidays
DRC. Supplemental Pay Procedure for Exempt Employees
DRC-E. Exempt Employee Supplemental Pay Form
DTA. Evaluations- Administrators and Supervisors
DTA-E. Administrators and Supervisors Process Form
DTB. Faculty (See Section 3.4 Evaluation, Faculty Handbook)
DTC. Administrative Assistants and Clerks
DTC-E1. Personnel Assessment Process Form
DTC-E2. Physical Plant Personnel Performance Evaluation
DUA. Employee Service Awards
DXA. Exit Interviews
DXA-E. Employee Exit Interview Form
DY. Food and Drinks in Classrooms and Laboratories
DZ. Solicitation and Distribution

Section E: Faculty and Instruction

EA. Academic Freedom and Tenure (BP)
EB. Curriculum and Courses of Study (BP)
EC. Bible Instruction (BP)
ED. Honorary Degrees (BP)
EE. Faculty Handbook (BP)
EEA. Online Faculty Handbook

Section F: Student Information

FA. Admission to the College (BP)
FAA. Admission of International Students (BP)
FAB. Degree Limitation Statement
FAC. Academic Appeals Procedure
FAD. Student Records
FADA. Student Identification Number
FADB. Student Identity Verification
FB. Student Clubs and Organizations (BP)
FBA. Student Activities
FBAA. Calendar of Student Events
FBAB. Posting of Announcements and Signs
FBC. Student Newspaper (BP)
FBCA. Editorial and Advertising, Student Publications
FBD. On-Campus Speakers (BP)
FC. Intercollegiate Athletics (BP)
FCA. College Mascot (BP)
FCB. College Colors (BP)
FD. In-District Tuition (BP)
FDA. Waiver of Nonresident Tuition (BP)
FE. Travel by Student Groups
FF. Student Conduct and Discipline
FG. Student Substance Abuse Policy
FH. Sexual Harassment Policy
FI. Campus Assessment, Response and Evaluation (CARE) Team
FJ. Freedom of Expression Policy
FM. Student Grievance Procedure
FN. Compulsory Insurance for Students (BP)
FNA. Health Services
FO. Student Housing Policy (BP)
FOA. Student Housing Policy
FOB. Temporary Housing Assistance for Certain Students
FOC. Residential Housing Missing Student Notification Policy and 
         Procedures
FP. Services for Students with Disabilities
FQ. Annual Public Notice
FR. Student Financial Aid
FS. Student Counseling Center
FT. Learning Resources
FW. Texas Success Initiative (TSI)
FX. Student Correspondence Policy (Student E-Mail)
FY. Absences for Military on Active Duty
FZ. Student Death 
FZA. Student Death Protocol

Section G: Community and Government Relations

GA. Media Relations
GC. Publications and Printing Policy
GD. Use of College Facilities, Including Athletic and Recreational Facilities (BP)
GDA. Use of Facilities in Time of Disaster (BP)
GBD. Loan or Rental of College-Owned Equipment and Tools
GDC. Facility Rental Policies
GE. Use of College Food Service (BP)
GF. Smoke Free Environment
GG. Communicable Disease Policy
GH. Senior Citizens Benefits
GI. Public Complaints and Hearings (BP)
GN. Camp Programs for Minors

Section H: Support Services

HA. Library
HB. Marketing and Communications
HBA. Planning Guide for Printing, Publications, and Web Pages
HBB. College Business Cards
HC. Continuing Education
HD. Administrative Computer Center
HE. Bookstore
HF. College Post Office
HG. Maintenance/Custodial Services
HH. Campus Security
HHA. Workplace Violence and Unauthorized Weapons
HHB. Annual Disclosure of Crime Statistics
HHC. Concealed Carry of Handguns on Campus
HHD. Campus Security Camera Acceptable Use
HHE.  Campus Security Authorities (CSA)
HHF. Violent Intrusion/Action Defense Preparations
HHG. Mass Communication
HHH. Safety Program Emergency Plans and Alerts
HI. Health/Wellness Services-Levelland Campus
HJ. Food Service-Levelland Campus
HK. Severe Weather Procedures
HL. Copy Center and Reproduction Procedures
HM. College Vehicles
HN. College Web Site Policy
HO. College Stationery Policy
HP. College Logos
HQ. Photography Service
HR. Office of Human Resources
HS. Office of Development
HSA. Fundraising, Solicitation and Grant Writing
HSA-E. Fundraising Activity Approval Form
HSAA. Acceptance of Non-Cash Gifts
HSAA-E. Non-Cash Gift Acceptance Form
HT. New Student Relations
HU. Financial Aid Lender Relations Institutional Code of Conduct

Section I: Information Services

IA. Policy Compliance
IB. User Accounts Management Policy
IB-A. Data Security Risk Management
IB-B.Data-Classification-Standard
IB-C. Encryption-Standard
IC. Acceptable Use Policy
ID. Access Control Policy
ID-A. Account Management Access Control
ID-B. MFA Policy
ID-C. Auditing and Accountability 
ID-D. Security Logging Standard
ID-E. Remote Access Standard
ID-F. Wireless Network Security
IE. Secure-System-Development
IE-A. Configuration Management
IE-B. Patch Management Policy
IE-C. Secure Configuration Standard
IE-D. Vulnerability Scanning
IE-E. Sanitization Secure Disposal
IE-F. Secure Coding Standard
IF. incident Response Policy
IF-A. Cyber Incident Response
IG. Security Awareness and Training
IH. Physical and Environmental Protection