SP 6-10t – Security Testing

Colorado Community College System / System Procedure


SP 6-10t

APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021

REFERENCES: Board Policy (BP) 6-10, Cyber Security Policy

APPROVED:

/ Joe Garcia /
Joseph A. Garcia
Chancellor

BASIS

This procedure documents security testing processes followed by the Colorado Community College System and its Colleges (“CCCS”) to reduce the risk of security vulnerabilities within CCCS’s Information Technology (“IT”) environment. Vulnerabilities, if not addressed, could pose a risk of unauthorized Information System access or information loss. While it is impossible to prove a system is vulnerability free, employing continuous security testing processes increases the likelihood security vulnerabilities are identified and remediated by CCCS before they can be used for unauthorized activities.

APPLICATION

This procedure applies to Information Assets owned, leased, managed and maintained by the System Information Technology (“IT”) Department (“System IT”) or the College Information IT Department (“College IT”) or by third parties on behalf of CCCS, and employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.

DEFINITIONS

Vulnerability
Vulnerability is defined as weakness in an Information System, system security procedures, internal controls, or implementation that could been exploited or triggered by a threat source.

Vulnerability Scanning
Vulnerability Scanning is defined as inspection and detection of potential weakness in an Information System, system security procedures, internal controls, or implementation that could have been exploited or triggered by a threat source.

Penetration Testing
Penetration testing is defined as a test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an Information System.

PROCEDURE

The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.

CCCS employs a layered security testing methodology designed to identify security vulnerabilities. Testing techniques will be applied where and when applicable, based on the risk related to each Information System. Each testing technique is designed to simulate real-world attacks by scanning for known-vulnerable Information System components or interacting with the Information System while observing its behavior to identify vulnerabilities.

Each testing technique type should:

  • Be performed by qualified and authorized personnel using industry accepted methodologies.
  • Have a process to maintain an updated database of the “known-vulnerable” components or “interactions” it uses sourced from reputable external resources.

Vulnerability Scanning
Routine scans of devices connected to the CCCS’s networks must be conducted on a regular basis to identify operating system and application vulnerabilities. System IT will conduct vulnerability scanning on a periodic basis.

Penetration Testing
CCCS will conduct and document external and internal penetration testing on an as needed basis. Penetration testing should consist of network-layer, operating system-layer, and application-layer tests.

Secure Code Analysis
CCCS will conduct and document secure code analysis against internally developed CCCS applications on an as needed basis.

Social Engineering Testing
CCCS will conduct and document phishing and other social engineering tests at least annually.

Remediation of Security Vulnerabilities
Owners and administrators of systems connected to the CCCS networks must routinely review the vulnerability scan results and mitigate vulnerabilities appropriately as described in the vulnerability management process.

For identified vulnerabilities, System IT and College IT Department will:

  • Determine a risk rating for the identified vulnerability;
  • Establish a vulnerability remediation plan and assign a remediation owner;
  • Conduct retesting to provide assurance that vulnerabilities have been remediated and are no longer present in the system; and
  • Outstanding issues will be assigned and tracked.

For situations when a patch or hotfix is not available for a vulnerability or a vulnerable legacy system needs to remain in production:

  • The Exception Management Procedure (SP 6-10m, Exception Management Procedure) will be followed when a vulnerable Information Asset needs to remain in production and there is no security patch available or a security patch cannot be applied for compatibility reasons or it is too costly to replace a vulnerable legacy system.

Internal Remediation Expectations

  • Internal Vulnerability Score of 9-10 must be remediated within 30 days.
  • Internal Vulnerability score of 6-8 must be remediated within 45 days.
  • Internal Vulnerability score of 1-5 must be remediated within 90 days.

External Vulnerability Remediation Expectations (increased risk to the enterprise)

  • External Vulnerability Score of 9-10 must be remediated within 15 days.
  • External Vulnerability score of 6-8 must be remediated within 30 days.
  • External Vulnerability score of 1-5 must be remediated within 45 days.

REVISING THIS PROCEDURE

CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.