Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 45 – Information Security

Revised May 20, 2013

View All Sections >

49020.14 Technical Vulnerabilities Management

  • Technical vulnerability management shall be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness.

  • A current and complete inventory of information assets will be maintained. Specific information gathered should include software vendor, version numbers, software installed and person(s) responsible for the software installation. Appropriate timely action shall be taken in response to the identification of potential technical vulnerabilities. The following should be established:

    • EISEnterprise Information Services (formerly Information Services Division) shall define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required;

    • Information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology (based on the asset inventory list,); these information resources should be updated based on changes in the inventory, or when other new or useful resources are found;

    • A timeline should be defined to react to notifications of potentially relevant technical vulnerabilities;

    • Once a potential technical vulnerability has been identified, EISEnterprise Information Services (formerly Information Services Division) shall identify the associated risks and the actions to be taken;

    • Depending on the urgency of which a technical vulnerability needs to be addressed, the action taken shall be carried out according to change control procedures or by following the Department’s information security incident response procedures;

    • If a patch is available, the risks associated with installing the patch should be assessed (the risks posed by the vulnerability should be compared with the risk of installing the patch);

    • Patches should be tested and evaluated before they are installed to ensure they are effective and do not result in side effects that cannot be tolerated; if no patch is available, other controls should be considered, such as:

      • Turning off services or capabilities related the vulnerability

      • Adapting or adding access controls, e.g., firewall rules, at the network border;

      • Increased monitoring to detect or prevent actual attacks;

      • Raising awareness of the vulnerability.

  • Employees, contractors, and third-party users of information systems and services shall not attempt to prove suspected security vulnerabilities. Testing vulnerabilities may be interpreted as a potential misuse of the system and could cause damage to the information system or service and result in disciplinary actions for the individual performing the test.