1. Description of Service
The Information Technology Division (ITD) Security Assessment and Assurance Team (SAA) provides ad-hoc Vulnerability Assessment services to those agencies wishing to deploy applications both internal to MAGnet as well as internet facing. Additionally, this service is of value to agencies wishing to examine the security posture of their existing environment(s).
This service includes:
- Footprint the system/environment (document / diagram findings)
- Scan (Interrogate environment for available services/shares/software, user acct. info)
- Enumerate (Identify all the possible doors/windows/entry points into the system(s) and open services; both legitimate & illegitimate, i.e., identify vulnerabilities)
- Assess results (Map out the intrusion/attack)
- Penetrate (Execute actual exploit - only when deemed necessary)
- Mitigate (Identify mitigation options)
- Develop and document possible risk management strategies
This ad-hoc vulnerability assessment service does NOT replace the standard hardening and scanning requirements and processes of ITD Security Office for all Internet-facing systems - but it can be used as a supplemental and complementary service to provide a higher assurance level for those systems.
Support services include:
- A Service Account Manager to answer any questions or concerns regarding ITD Services.
- Services offered through our Operations Office; including Change Management and customer access to incident management via email, phone (CommonHelp)
- The online COMiT service management portal
2. Service Targets/Hours of Availability
Normally, individual vulnerability assessments will be completed within 15 business days, depending on system/environment availability.
It may be desirable for a customer to request multiple assessments during the development process of their application.
Service availability hours are 8:30 am - 5:00 pm Monday through Friday, excluding holidays.
3. Service Reporting
Documentation is provided to the customer or their designee only, relative to the vulnerability testing results, analysis, and recommendations.
The following reporting information is provided to customers as part of this service:
Vulnerability Assessment Report
The breadth and depth of these reports are specific to the customer's need. The standard report would include the results of the assessment steps and any associated mitigation recommendations.
Ad-hoc - specific to each Vulnerability Assessment request.
4. Service Requests
Lead Time-Business Days
Request a Vulnerability Assessment
This is a request for assistance in quantifying and mitigating vulnerabilities in a system through footprinting, scanning, service enumeration, penetration testing with a mitigation strategy.
Request a Scan
This is to request a scan to harden a server for production.
*For new service requests only. To manage existing requests, please log into COMiT.
5. Customer Responsibilities
Customers and their business partners are expected to clearly identify the scope of a vulnerability assessment and to provide written authorization to ITD-SAA for that assessment.
Information to be included in the scope statement must be the system(s) involved (including subnet information if the whole subnet is to be examined) as well as which of the 7 Vulnerability Assessment steps (enumerated in section 2.1 above) they are authorizing ITD-SAA to perform.
For your convenience, you may also view a detailed list of customer responsibilities.
6. Chargeback Rate Information
For more information on Chargeback, including an overview of the program as well as previous fiscal year rates, please visit our Chargeback Services webpage.
The costs pertaining to this service offering are currently funded out of Overhead. No additional detail is available for review.
Updated June 20, 2011
Published August 14, 2009
Created April 16, 2009: Information provided by the Security Office