Qualys Vulnerability Data Review for Reporting
Qualys Vulnerability Data Review for Reporting For the Critical Server asset group for your area, periodically review the following: 1. Critical Server asset group [Appendix A: Qualys-Asset Search] A list of only those hosts that have been scanned at least once. a. If a host has been retired or decommissioned, remove the IP address from the Critical Server asset group. Follow the retirement process. Appendix B b. If a host needs to be added, add the host to the Critical Server asset group and then schedule a scan. c. If the host no longer meets the criteria for critical server, remove the IP address from the Critical Server asset group. 2. Not scanned within the last 30 days [Appendix C: Qualys-Asset Search not scanned within 30 days] For those hosts listed: a. If the host has been retired or decommissioned, follow the retirement process. Appendix B After completing this process, remove the IP address from the Critical Server asset group. b. If the host is a critical server, schedule a scan. c. If the host no longer meets the criteria for critical server, remove the IP address from the Critical Server asset group. 3. Confirmed (Red) High Severity Vulnerabilities not patched or fixed [Appendix D: Qualys-Report High Severity Vulnerabilities] A list of high severity vulnerabilities not fixed. For vulnerabilities listed: a. Mitigate the risk and run vulnerability scan. b. Document the remediation plan by creating a Qualys ticket if the vulnerability requires more time to mitigate the risk. c. For false positives, create an ignored vulnerability ticket. 4. Ignored Vulnerabilities [Appendix E: Qualys-Scorecard Report Ignored Vulnerabilities] A list of vulnerabilities that have been marked as “ignored” by you or someone in your area. a. For vulnerabilities that are not false positives, change the ticket status to reopen. b. University Information Security will review these and make the final determination on whether or not a vulnerability can be ignored for hosts in the Critical Server asset group. Frequency for the above review: To meet the requirement of timely reporting of vulnerability management for critical servers, units need to complete the review by the end of the month. 3/23/2015 Page 1 of 5 Qualys Vulnerability Data Review for Reporting Appendix A: Qualys-Asset Search Appendix B: Host Retirement Process For hosts being retired or decommissioned: The host should remain in the Critical Server asset group until the disk and all back up media have been securely wiped using secure deletion software or physical destruction of the media: http://it.umn.edu/enterprise-standards/information-security-standards/mediasanitization. Notify University Information Security when a host has been decommissioned or retired. University Information Security will purge the scan results from Qualys. 3/23/2015 Page 2 of 5 Qualys Vulnerability Data Review for Reporting Appendix C: Qualys-Asset Search not scanned within 30 days 3/23/2015 Page 3 of 5 Qualys Vulnerability Data Review for Reporting Appendix D: Qualys-Report High Severity Vulnerabilities 3/23/2015 Page 4 of 5 Qualys Vulnerability Data Review for Reporting Appendix E: Qualys-Scorecard Report Ignored Vulnerabilities 3/23/2015 Page 5 of 5
© Copyright 2024