APPROVED: January 28, 2021
EFFECTIVE: January 28, 2021
REFERENCES: Board Policy (BP) 6-10, Cyber Security Policy
/ Joe Garcia /
Joseph A. Garcia
This procedure documents security testing processes followed by the Colorado Community College System and its Colleges (“CCCS”) to reduce the risk of security vulnerabilities within CCCS’s Information Technology (“IT”) environment. Vulnerabilities, if not addressed, could pose a risk of unauthorized Information System access or information loss. While it is impossible to prove a system is vulnerability free, employing continuous security testing processes increases the likelihood security vulnerabilities are identified and remediated by CCCS before they can be used for unauthorized activities.
This procedure applies to Information Assets owned, leased, managed and maintained by the System Information Technology (“IT”) Department (“System IT”) or the College Information IT Department (“College IT”) or by third parties on behalf of CCCS, and employees, personnel affiliated via third party contracts, and volunteers that have access to Information Systems and Assets that are owned or leased by CCCS.
Vulnerability is defined as weakness in an Information System, system security procedures, internal controls, or implementation that could been exploited or triggered by a threat source.
Vulnerability Scanning is defined as inspection and detection of potential weakness in an Information System, system security procedures, internal controls, or implementation that could have been exploited or triggered by a threat source.
Penetration testing is defined as a test methodology in which assessors, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an Information System.
The System Chancellor delegates to the System Vice Chancellor for Information Technology responsibility for oversight of compliance with and implementation of this procedure. Further, the System Chancellor delegates to the College Presidents the responsibility to implement and compliance with this procedure at their respective institution.
CCCS employs a layered security testing methodology designed to identify security vulnerabilities. Testing techniques will be applied where and when applicable, based on the risk related to each Information System. Each testing technique is designed to simulate real-world attacks by scanning for known-vulnerable Information System components or interacting with the Information System while observing its behavior to identify vulnerabilities.
Each testing technique type should:
Routine scans of devices connected to the CCCS’s networks must be conducted on a regular basis to identify operating system and application vulnerabilities. System IT will conduct vulnerability scanning on a periodic basis.
CCCS will conduct and document external and internal penetration testing on an as needed basis. Penetration testing should consist of network-layer, operating system-layer, and application-layer tests.
Secure Code Analysis
CCCS will conduct and document secure code analysis against internally developed CCCS applications on an as needed basis.
Social Engineering Testing
CCCS will conduct and document phishing and other social engineering tests at least annually.
Remediation of Security Vulnerabilities
Owners and administrators of systems connected to the CCCS networks must routinely review the vulnerability scan results and mitigate vulnerabilities appropriately as described in the vulnerability management process.
For identified vulnerabilities, System IT and College IT Department will:
For situations when a patch or hotfix is not available for a vulnerability or a vulnerable legacy system needs to remain in production:
Internal Remediation Expectations
External Vulnerability Remediation Expectations (increased risk to the enterprise)
CCCS reserves the right to change any provision or requirement of this procedure at any time and the change shall become effective immediately.