New Policy | Policy and Information Flow

VM compliance policy is sometimes necessary for enforcement of remediation activities. Depending on your organization, a policy that directs IT managers to make remediation a priority is helpful. The policy should provide for the following:

• Prioritization of vulnerabilities: The vulnerabilities found will be prioritized. In many cases, more vulnerabilities are found than can possibly be fixed in a reasonable amount of time. You will have to specify what gets done first. It is even possible that you may want a policy statement of the circumstances under which systems administrators should drop everything they are doing and remediate or shut down the system in question.
• Valuation of assets: Every system is a company asset. It has to be given a value, which can be used in the prioritization process. 
• Time limits: Depending on the severity and type of vulnerability, time limits for remediation must be set. This is, in effect, an SLA for the organization. You will have to consider the risk or threat to the organization based on several criteria. Those criteria, however, would be left to a supporting standard.

1 Usage Policy

Another important type of policy pertains to the usage of the VM system itself. This policy would highlight key operational constraints. Among the types of constraints necessary are the following:

• Types of systems exempt from scanning: This can include other security devices or critical network devices that are known to be adversely affected by scanning.
• Operational requirements for scanning approval: One must have consent of a system owner and/or administrator.
• SLA parameters: This requirement specifies what parameters must be included in any scan specification for a given network or group of targets. This might include time of day, bandwidth limitations, operational impact assessment, and scan termination request response time. These parameters in particular are important to maintaining a healthy relationship with system owners. If scans interfere with the systems and their operating environment, system owners are not likely to grant ongoing permission to continue scanning.

2 Ownership and Responsibilities

Once a system proves itself to be a powerful tool in managing a critical part of the enterprise, questions such as “who is responsible for the scanning schedule?” and “who decides what gets scanned and when?” are likely to arise. These questions are reasonable, given the insecurity that comes with what is perceived as an invasive activity. The best thing to do is avoid contention over these issues by getting it all decided in advance. Be forewarned that ambiguity is the enemy of process.

The first step in establishing clear ownership is to build it into the policy. The roles for key functions in the process should be clearly specified in the title. At a minimum, these roles must at minimum include the following:

• Scan parameters definition: The business and technical parameters used for scanning must be defined and carefully controlled. Although others may participate in the process of scanning, careless changes to parameters can cripple a host or an entire network.
• Scan scheduling: The schedule for a scan has a lot of thought built into it. These considerations should not be trifled with. A change in a schedule can have as big an impact on business operations as a change in parameters.
• Report distribution: Vulnerability reports are confidential data. In the wrong hands, these reports can be very damaging. For a hacker or motivated, disgruntled employee, a vulnerability report is a road map to trouble.
• Local host remediation: When a host cannot be patched or fixed through an enterprise host management tool, it has to be remediated by a local administrator or other individual appropriate to your organization.
• Global remediation: Conversely to local host activities, global tools also remediate hosts over a network. One or more organizations are responsible for this remediation. For example, the desktop team may be responsible for general host patching and the security group may have to keep anti-virus and encryption programs updated. All such organizations should be identified in advance and made active participants and contributors to VM process development.