Professional Documents
Culture Documents
Vulnerability Management Guideline v1.0.0 PUBLISHED
Vulnerability Management Guideline v1.0.0 PUBLISHED
Vulnerability management
guideline
Final
July 2018
V1.0.0
PUBLIC
QGEA PUBLIC Vulnerability management
Document details
Security classification PUBLIC
Date of review of July 2018
security classification
Authority Queensland Government Chief Information Officer
Author Queensland Government Chief Information Office
Acknowledgements
This version of the Vulnerability management guideline was developed and updated by the
Queensland government chief information office.
Feedback was also received from a number of agencies, which was greatly appreciated.
Copyright
Vulnerability management guideline
© The State of Queensland (Queensland Government Chief Information Office) 2018
Licence
This work is licensed under a Creative Commons Attribution 4.0 International licence. To view the
terms of this licence, visit http://creativecommons.org/licenses/by/4.0/. For permissions beyond the
scope of this licence, contact qgcio@qgcio.qld.gov.au.
To attribute this material, cite the Queensland Government Chief Information Office.
The licence does not apply to any branding or images.
Information security
This document has been security classified using the Queensland Government Information
Security Classification Framework (QGISCF) as PUBLIC and will be managed according to the
requirements of the QGISCF.
Contents
1 Introduction........................................................................................................................... 4
1.1 Purpose......................................................................................................................... 4
1.2 Audience........................................................................................................................ 4
1.3 Scope............................................................................................................................ 4
2 Vulnerability monitoring.......................................................................................................4
2.1 Asset tracking................................................................................................................ 4
2.2 Vulnerability scanning....................................................................................................5
2.3 Penetration testing......................................................................................................... 6
3 Vulnerability assessment.....................................................................................................7
3.1 Risk assessment............................................................................................................ 7
4 Vulnerability mitigation.........................................................................................................8
4.1 Patch management........................................................................................................8
4.2 Controls......................................................................................................................... 9
1 Introduction
1.1 Purpose
The Vulnerability management guideline has been developed to assist departments and
agencies to meet their operational security requirements under the Queensland
Government Information Security Policy (IS18:2018).
The information security policy IS18:2018 requires agencies to run an information security
management system (ISMS) compatible with ISO27001:2013. To meet the requirements
contained in the Control Objective A12.6.1 of ISO27001, an entity must obtain information
on, evaluate and act upon technical vulnerabilities within their environments. A Queensland
Government Enterprise Architecture (QGEA) guideline is non-mandatory and provides
information for Queensland Government agencies on the recommended practices for a
given topic area.
1.2 Audience
This document is primarily intended for:
operational ICT staff
information security governance
risk management
1.3 Scope
This guideline relates to the mandatory aspects of the Queensland Government Information
Security Policy (IS18:2018) and Information security information standard (IS18:2009), as
well as the operational security domain and controls in ISO/IEC 27001.
The following issues are not explicitly addressed and are outside the scope of this
guideline:
baseline standards (i.e. tested and supported minimum levels of software versions)
software currency (i.e. version control).
For further information on maintaining an up-to-date software portfolio, see the Software
currency policy.
2 Vulnerability monitoring
2.1 Asset tracking
The first step in accurately monitoring vulnerabilities in any environment is to know what
information systems and assets exist within it. ISO27001 requires information owners to
create and maintain an inventory of the assets associated with information and information
systems. We encourage agencies to use existing registers where possible such as the
information asset register developed as part of the Information asset custodianship policy
(IS44) and application and technology registers developed as part of ICT resources
strategic planning (IS2).
By maintaining visibility of all information associated assets and systems within a
department, information and asset owners will be able to better understand which
vulnerabilities may be creating unnecessary risk within their environments.
implement a common scan template for all assets across their environments to ensure
consistent results
All agencies are encouraged to contact the QGCIO Cyber Security Unit via the
cybersecurityunit@qgcio.qld.gov.au email address to take advantage of the resources and
assistance offered in the implementation of vulnerability scanning or credentialed scanning.
Agencies should follow the above requirements to be aligned with better practice and
ensure vulnerabilities are being effectively detected. Penetration testing can be used by
agencies to give assurance for controls on higher BIL systems.
When an agency or department is conducting or planning a penetration test, they should
consider informing the QGCIO Cyber Security Unit via the
cybersecurityunit@qgcio.qld.gov.au email address.
3 Vulnerability assessment
3.1 Risk assessment
Unresolved vulnerabilities result in increased risk within an agencies environment, it’s
important the vulnerabilities and associated risk are assessed in the context of the
environment they are found. This is important to remember when reviewing the results of
automatic vulnerability scanners, these results may include false positives and
vulnerabilities that, while carrying some risk, are being mitigated via a separate mechanism.
It is because of these reasons vulnerability risk assessments should be the responsibility of
the asset owner and/or the asset custodian, this ensures that the responsible actor
understands the environment and the existing mitigating controls.
Asset owners and/or custodians should:
assess the vulnerabilities within their environments
decide based on their assessment if the agency will
accept the risk
transfer the risk
avoid the risk
mitigate the risk
Agencies should prioritise vulnerabilities based on their own context, many automated
scans and risk management tools have their own ways of grading vulnerabilities and risk,
agencies are encouraged to use whatever prioritisation system they are most comfortable
with. Agencies seeking additional tools to assist in their vulnerability prioritisation should
contact the QGCIO Cyber Security Unit via the cybersecurityunit@qgcio.qld.gov.au email
address.
Agencies can also use the following questions to help prioritise existing vulnerabilities:
How many systems does the vulnerability exist on?
Are those systems considered critical or sensitive?
Is the system likely to be exposed to threats that may exploit the vulnerability such
as public facing systems or internet accessible systems?
What mitigations exist that would limit the damage caused by successful exploitation
of the vulnerability? For example, application whitelisting controls may limit the
impact of code execution vulnerabilities.
Does the capability exist to detect or prevent the vulnerability from being exploited
using a network or host-based IDS/IDP?
Is there appropriate logging and alerting in place to respond quickly to systems that
have been exploited?
What is the CVSS rating of the vulnerability? All else being equal, a vulnerability
with a higher CVSS rating should be prioritised higher than a vulnerability with a
lower CVSS rating.
Agencies are also encouraged to use the Queensland Treasury risk management
framework as a guide for their risk assessment processes.
4 Vulnerability mitigation
4.1 Patch management
All information systems should remain supportable and be maintained in a manner that
minimises the Queensland Government’s exposure to risks associated with vulnerabilities
in these systems.
The main type of patch being discussed within this guideline are security patches, Security
patches may include, but not limited to; operating system patches, software patches,
firmware updates, hardware hotfixes. Security patches are most often released from
developers to remove a vulnerability from their program or platform to prevent exploitation
of the vulnerability by an attacker. Other patches released by developers with the intent to
provide additional functionality or fix unexploitable flaws, can be installed at the discretion of
the operational IT team and business owners in accordance with the agencies change
management processes.
An effective patch management program will assist in the mitigation of business risk by:
increasing uniformity across Queensland Government ICT assets by standardising how
ICT patches and updates are obtained and applied
increasing the ability to maintain and support ICT assets in accordance with this
guideline
encouraging that each agency provides their own testing capability and avoids testing,
where possible, on production systems
fixing known vulnerabilities in ICT assets that attackers could exploit for various
purposes
Agencies should refer to the Software currency policy and Hardware currency policy to
ensure they are maintaining an up-to-date software and hardware portfolio, and reduce the
cost of risk associated with managing unsupported products.
Patches not applied should be recorded and subject to monitoring / review where
appropriate.
Agencies are encouraged to use table 1 patch assessment guide as a tool for assessment
timelines. In using the table External vulnerabilities should be considered 1 BIL higher than
assessed (e.g. BIL 1 external systems should be considered a BIL 2, BIL 2 external
systems should be considered BIL 3, and BIL 3 systems will stay as BIL 3).
4.2 Controls
In some cases, the risk generated via vulnerabilities cannot be mitigated with a patch,
patches may not exist or may introduce even more risk, in these cases agencies and
departments should consider implementing further controls to reduce the generated risk.
Controls can be highly specific to an environment and can encompass business processes
to software and hardware implementation. The selection of controls is dependent upon
organisational decisions based on the criteria for risk acceptance, risk appetite, risk
treatment options and the general risk management approach applied to the organisation,
and should also be subject to all relevant state, national and international legislation and
regulations. Departments and agencies should consider the Information Privacy Act 2009,
the Public Records Act 2002, Telecommunications Interception Act 2009, and may need to
seek further legal advice before implementing some control mechanisms.
Administrative Control
“Agency X could implement a mobile device policy banning the use of employee personal
devices for government work, this is contextually acceptable as Agency X provides all of its
employees with mobile work devices and employees are able to request exceptions
depending upon circumstances”
Technological Control
“Agency X could provide all employees on official government business, that may need to
be completed outside of regular operating hours with an official mobile device. The device
could be given access to systems while locking down any access to systems to any other
external devices”
Technological Control
“Agency X could implement a web application firewall (WAF) as a way to allow, block, and
monitor web requests that contain XSS code or create one or more XSS match conditions.”
Administrative Control
“Agency X could enact a policy enforcing input validation, input escaping, sanitizing user
input or any combination of the three on all external web applications”
Administrative Control
“Agency X could implement an internal policy or standard enforcing minimum security
configuration standards to minimise the risk of further misconfigurations or develop a
repeatable hardening process that ensures it is fast and easy to deploy future environments
that are secure”
Technological control
“Agency X could set up an automated process to scan the network and test the
effectiveness of device configurations to ensure any future devices in the environment are
correctly configured”