Vulnerability Assessment and Penetration Testing Policy

Overview

Vulnerability assessment and management is an essential component of any Information Security Program.  The process of assessment and remediation is vital to effective vulnerability management.  Vulnerability assessment provides visibility into the security of assets deployed in the network.  This helps protect the Intellectual Property / Source Code which is the foundation of the KX business.  Vulnerability assessment consists of scanning, identifying potential vulnerabilities, assessing the exploitability and associated risk of vulnerabilities, and ensuring a remediation action plan is initiated.

The Common Vulnerability Scoring System (CVSS) approach is utilized for calculating the severity of a vulnerability.

Objective

This document lays out the policy upon which to establish process(es).

• To increase the security posture of KX and mitigate threats related to vulnerabilities
• To permit authorized personnel to perform information security vulnerability assessment for the purpose of determining areas of vulnerability
• To plan and execute the remediation actions as needed to minimize the associated risks.

Applicability and Scope

This policy applies to:

• All employees, contractors, and vendors with access to any part of KX information systems and networks.
• Remote access connections into the KX network.
• All networked, cloud or isolated information assets within or outside of KX premises, and directly or indirectly associated with the business purpose of the KX organization.

Information Asset: A definable piece of information, information processing equipment (hardware), or information system, that is recognized as “valuable” to KX.  For example, server, end-user-computing device, network device, a releasable product or hosted software service.

Policy Statements

Types of Assessment

1. Network Vulnerability Scanning:  Vulnerability scanning is an inspection of the potential points of exploit on a hardware, cloud, or network device to identify security holes.  It is performed via automation vulnerability scanning software.
2. Network Penetration Testing:  A type of assessment that uses both automated software and manual testing to determine the presence of vulnerabilities by attempting to actively execute known exploits in a network of devices.
3. Application Penetration Testing:  Penetration Testing is the assessment of a running application to verify the effectiveness of security controls, identify vulnerabilities, and provide high level guidance for remediation.  This is done by a variety of tools as outlined in the Application Security Testing Standard.

Consideration

• Assessments shall be performed during hours appropriate to the business needs of the organization and to minimize disruption to normal business functions.
• Assessments shall be performed on a non-production environment whenever possible.
• All assessment results shall be treated as CONFIDENTIAL.
• External agencies may be engaged / allowed to perform scans on an as needed basis
• The Vendor Management related policies shall be applicable to those external agencies

Reporting

The authorized people / team performing assessment shall produce a report with the following content:

• List of Vulnerabilities: all identified vulnerabilities, their risk and severity levels, and affected information assets.
• Recommended Remediation Steps: a detailed suggestion for each vulnerability on how it can be remediated.
• Identify Action Owners: an action owner shall be identified for each of the affected information assets.  The action owner shall prepare and share an action plan.
• The action owner shall keep a record of each remediation activity and share updates until an identified vulnerability is remediated.

Remediation

All potential action owners or their respective business leaders shall agree on remediation timelines for each class of Information Asset.  The agreed-upon timeline shall be documented. If any timeline commitment is not met an exception must be initiated for that vulnerability through the Risk Management Process.  This also includes applying incident and PSIRT processes as applicable.

Auditability

The Information Security team reserves the right to authorize an independent internal or external audit of each information asset owner’s organization at will, or at the request of the appropriate management executive.  These audits will review existing assessment reports and verify that vulnerabilities were remediated as per the agreed-upon action plan.  Any discrepancies will be noted and reported to the Senior Management of the concerned organization and division executives.