Documentation
Support
In this article
1.0 Purpose2.0 Scope3.0 Policy3.1 Vulnerability Scan Frequency3.2 Scan Targets3.3 External vendors for vulnerability scanning3.4 Client Point of Contact During the Scanning Period3.5 Scanning period4.0 Enforcement
Home
Policy Templates (Advanced)

Policy Template for Vulnerability Scanning

Edited

1.0 Purpose 

The purpose of this policy is to set baseline requirements regarding the application and network security scanning and penetration tests offered by external security vendors to {{organization.name}}. {{organization.name}} has a 3rd party vulnerability vendor scanning critical systems on a periodic or ongoing basis. External vendors shall utilize commercially accepted solutions to perform electronic scans of {{organization.name}}'s applications, networks and/or firewalls or on any system at {{organization.name}}. 

Audits may be conducted to: 

  • Ensure integrity, confidentiality and availability of information and resources Investigate possible security incidents

  • Ensure conformance to {{organization.name}}'s security policies

  • Monitor user or system activity where appropriate

2.0 Scope 

This policy covers all computer and communication devices owned or operated by {{organization.name}}. This policy also covers any computer and communications device that are present on {{organization.name}} premises, but which may not be owned or operated by {{organization.name}}. 

3.0 Policy 

3.1 Vulnerability Scan Frequency

All devices shall be scanned on a consistent scan schedule and also on a by-request or as-needed basis. The defined scan frequency should make provisions for an assessment at least once per month for servers and sensitive hosts, and once per quarter using a rolling scan for all other devices on the network. 

3.2 Scan Targets

All devices connected to both public and private segments of the network shall be scanned. Device scans are organized by the individually defined address spaces, Active Directory queries, cloud resources, and locally installed agents.

3.3 External vendors for vulnerability scanning

When requested, and for the purpose of performing an audit, consent to access needed will be provided to members of an external security vendor. {{organization.name}} hereby provides its consent to allow external vendors to access its networks and/or firewalls to the extent necessary to allow the vendor to perform the scans authorized in this agreement. {{organization.name}} shall provide protocols, addressing information, and network connections sufficient for external vendors to utilize the software to perform network scanning. 

This access may include:

  • User level and/or system level access to any computing or communications device

  • Access to information (electronic, hard copy, etc.) that may be produced, transmitted or stored on {{organization.name}} equipment or premises

  • Access to work areas (labs, offices, cubicles, storage areas, etc.)

  • Access to interactively monitor and log the traffic on {{organization.name}} networks.

If a vendor does not control their network and/or Internet service is provided via a second or third party, these parties are required to approve scanning in writing if scanning is to occur outside of the {{organization.name}} LAN. 

Network performance and/or availability may be affected by the application and network scanning. {{organization.name}} releases the external security vendor of any and all liability for damages that may arise from network availability restrictions caused by the network scanning within the scope of the agreement, unless such damages are the result of the security vendor's gross negligence or intentional misconduct. 

Penetration testing conducted on Amazon Web Services must adhere to AWS policies. In general, the following table describes services which allow and prohibit penetration testing:

Permitted Services

Prohibited Activities

  • Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers

  • Amazon RDS

  • Amazon CloudFront

  • Amazon Aurora

  • Amazon API Gateways

  • AWS Lambda and Lambda Edge functions

  • Amazon Lightsail resources

  • Amazon Elastic Beanstalk environments

  • DNS zone walking via Amazon Route 53 Hosted Zones

  • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS.

  • Port flooding

  • Protocol flooding

  • Request flooding (login request flooding, API request flooding)

Neither {{organization.name}} or authorized third parties are permitted to conduct any security assessments of AWS infrastructure, or the AWS services themselves. Should {{organization.name}} discover a security issue within any AWS services in the course of a security assessment, the issue must be raised as an internal security incident and immediately relayed to aws-security@amazon.com

3.4 Client Point of Contact During the Scanning Period 

{{organization.name}} shall identify in writing a person to be available if the result of the security vendor has questions regarding data discovered or requires assistance. 

3.5 Scanning period 

{{organization.name}} and the security vendor's Scanning Team shall identify in writing the allowable dates for the scan to take place. 

4.0 Enforcement 

Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.