Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Network Vulnerability Assessment

You're reading from   Network Vulnerability Assessment Identify security loopholes in your network's infrastructure

Arrow left icon
Product type Paperback
Published in Aug 2018
Publisher
ISBN-13 9781788627252
Length 254 pages
Edition 1st Edition
Arrow right icon
Author (1):
Arrow left icon
Sagar Rahalkar Sagar Rahalkar
Author Profile Icon Sagar Rahalkar
Sagar Rahalkar
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Vulnerability Management Governance FREE CHAPTER 2. Setting Up the Assessment Environment 3. Security Assessment Prerequisites 4. Information Gathering 5. Enumeration and Vulnerability Assessment 6. Gaining Network Access 7. Assessing Web Application Security 8. Privilege Escalation 9. Maintaining Access and Clearing Tracks 10. Vulnerability Scoring 11. Threat Modeling 12. Patching and Security Hardening 13. Vulnerability Reporting and Metrics 14. Other Books You May Enjoy

Policy versus procedure versus standard versus guideline

From a governance perspective, it is important to understand the difference between a policy, procedure, standard, and guideline. Note the following diagram:

  • Policy: A policy is always the apex among the other documents. A policy is a high-level statement that reflects the intent and direction from the top management. Once published, it is mandatory for everyone within the organization to abide by the policy. Examples of a policy are internet usage policy, email policy, and so on.
  • Standard: A standard is nothing but an acceptable level of quality. A standard can be used as a reference document for implementing a policy. An example of a standard is ISO27001.
  • Procedure: A procedure is a series of detailed steps to be followed for accomplishing a particular task. It is often implemented or referred to in the form of a standard operating procedure (SOP). An example of a procedure is a user access control procedure.
  • Guideline: A guideline contains additional recommendations or suggestions that are not mandatory to follow. They are best practices that may or may not be followed depending on the context of the situation. An example of a guideline is the Windows security hardening guideline.

Vulnerability assessment policy template

The following is a sample vulnerability assessment policy template that outlines various aspects of vulnerability assessment at a policy level:

<Company Name>
Vulnerability Assessment Policy

Name

Title

Created By

Reviewed By

Approved By

Overview

This section is a high-level overview of what vulnerability management is all about.

A vulnerability assessment is a process of identifying and quantifying security vulnerabilities within a given environment. It is an assessment of information security posture, indicating potential weaknesses as well as providing the appropriate mitigation procedures wherever required to either eliminate those weaknesses or reduce them to an acceptable level of risk.

Generally vulnerability assessment follows these steps:

  1. Create an inventory of assets and resources in a system
  2. Assign quantifiable value and importance to the resources
  1. Identify the security vulnerabilities or potential threats to each of the identified resource
  2. Prioritize and then mitigate or eliminate the most serious vulnerabilities for the most valuable resources

Purpose

This section is to state the purpose and intent of writing the policy.

The purpose of this policy is to provide a standardized approach towards conducting security reviews. The policy also identifies roles and responsibilities during the course of the exercise until the closure of identified vulnerabilities.

Scope

This section defines the scope for which the policy would be applicable; it could include an intranet, extranet, or only a part of an organization's infrastructure.

Vulnerability assessments can be conducted on any asset, product, or service within <Company Name>.

Policy

The team under the authority of the designation would be accountable for the development, implementation, and execution of the vulnerability assessment process.

All the network assets within the company name's network would comprehensively undergo regular or continuous vulnerability assessment scans.

A centralized vulnerability assessment system will be engaged. Usage of any other tools to scan or verify vulnerabilities must be approved, in writing, by the designation.

All the personnel and business units within the company name are expected to cooperate with any vulnerability assessment being performed on systems under their ownership.

All the personnel and business units within the company name are also expected to cooperate with the team in the development and implementation of a remediation plan.

The designation may instruct to engage third-party security companies to perform the vulnerability assessment on critical assets of the company.

Vulnerability assessment process

This section provides a pointer to an external procedure document that details the vulnerability assessment process.

For additional information, go to the vulnerability assessment process.

Exceptions

It’s quite possible that, for some valid justifiable reason, some systems would need to be kept out of the scope of this policy. This section instructs on the process to be followed for getting exceptions from this policy.

Any exceptions to this policy, such as exemption from the vulnerability assessment process, must be approved via the security exception process. Refer to the security exception policy for more details.

Enforcement

This section is to highlight the impact if this policy is violated.

Any company name personnel found to have violated this policy may be subject to disciplinary action, up to and including termination of employment and potential legal action.

Related documents

This section is for providing references to any other related policies, procedures, or guidelines within the organization.

The following documents are referenced by this policy:

  • Vulnerability assessment procedure
  • Security exception policy

Revision history

Date Revision number Revision details Revised by
MM/DD/YYYY Rev #1 Description of change <Name/Title>
MM/DD/YYYY Rev #2 Description of change <Name/Title>

This section contains details about who created the policy, timestamps, and the revisions.

Glossary

This section contains definitions of all key terms used throughout the policy.

You have been reading a chapter from
Network Vulnerability Assessment
Published in: Aug 2018
Publisher:
ISBN-13: 9781788627252
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image