Download the complete service offering doc format of    vulnerability_assessment_services_definition.doc

 


1. Description of Service

The Information Technology Division (ITD) Security Assessment and Assurance Team (SAA) provides ad-hoc Vulnerability Assessment services to those agencies wishing to deploy applications both internal to MAGnet as well as internet facing. Additionally, this service is of value to agencies wishing to examine the security posture of their existing environment(s).

This service includes:
  1. Footprint the system/environment (document / diagram findings)
  2. Scan (Interrogate environment for available services/shares/software, user acct. info)
  3. Enumerate (Identify all the possible doors/windows/entry points into the system(s) and open services; both legitimate & illegitimate, i.e., identify vulnerabilities)
  4. Assess results (Map out the intrusion/attack)
  5. Penetrate (Execute actual exploit - only when deemed necessary)
  6. Mitigate (Identify mitigation options)
  7. Develop and document possible risk management strategies

This ad-hoc vulnerability assessment service does NOT replace the standard hardening and scanning requirements and processes of ITD Security Office for all Internet-facing systems - but it can be used as a supplemental and complementary service to provide a higher assurance level for those systems.

Support services include:

2. Service Targets/Hours of Availability

Normally, individual vulnerability assessments will be completed within 15 business days, depending on system/environment availability.

It may be desirable for a customer to request multiple assessments during the development process of their application.

Service Requirement

Description

Service AvailabilityService availability hours are 8:30 am - 5:00 pm Monday through Friday, excluding holidays.



3. Service Reporting

Documentation is provided to the customer or their designee only, relative to the vulnerability testing results, analysis, and recommendations.

The following reporting information is provided to customers as part of this service:

Report

Description

Reporting Interval

Vulnerability Assessment ReportThe breadth and depth of these reports are specific to the customer's need. The standard report would include the results of the assessment steps and any associated mitigation recommendations.Ad-hoc - specific to each Vulnerability Assessment request.



4. Service Requests

COMiT Service Requests*

Description

Lead Time-Business Days
Request a Vulnerability AssessmentThis is a request for assistance in quantifying and mitigating vulnerabilities in a system through footprinting, scanning, service enumeration, penetration testing with a mitigation strategy.5 Days
Request a ScanThis is to request a scan to harden a server for production.5 Days

*For new service requests only. To manage existing requests, please log into COMiT.



5. Customer Responsibilities

Customers and their business partners are expected to clearly identify the scope of a vulnerability assessment and to provide written authorization to ITD-SAA for that assessment.

Information to be included in the scope statement must be the system(s) involved (including subnet information if the whole subnet is to be examined) as well as which of the 7 Vulnerability Assessment steps (enumerated in section 2.1 above) they are authorizing ITD-SAA to perform.

For your convenience, you may also view a detailed list of customer responsibilities doc format of    vulnerability_assessment_services_definition.doc  .

 

 


6. Chargeback Rate Information

For more information on Chargeback, including an overview of the program as well as previous fiscal year rates, please visit our Chargeback Services webpage.

The costs pertaining to this service offering are currently funded out of Overhead. No additional detail is available for review.

 


Reviewed October 28, 2013
Updated October 28, 2013
Published August 14, 2009
Created April 16, 2009: Information provided by the Security Office