ISM12 PatchAndVulnerabilityManagementPolicy
ISM12 PatchAndVulnerabilityManagementPolicy
ISM12 PatchAndVulnerabilityManagementPolicy
PURPOSE
The purpose of this policy is to ensure Metropolitan Government of Nashville and Davidson County
(Metropolitan Government) reduces risks resulting from exploitation of published technical
vulnerabilities.
POLICY
1. Generally
3. Vulnerability Scanning
c. analyze vulnerability scan reports and results from security control assessments;
d. remediate legitimate vulnerabilities in accordance with its assessment of risk;
e. share information, when appropriate, obtained from the vulnerability scanning process and
security control assessments with designated personnel throughout Metropolitan
Government to help eliminate similar vulnerabilities in other information systems;
f. employ vulnerability scanning tools that include the capability to readily update the list of
information system vulnerabilities scanned;
g. update the list of information system vulnerabilities scanned or when new vulnerabilities are
identified and reported;
h. attempt to discern what information about the information system is discoverable by
adversaries;
i. include privileged access authorization for selected vulnerability scanning activities to
facilitate more scanning;
j. employ automated mechanisms to compare the results of vulnerability scans over time to
determine trends in information system vulnerabilities; and
k. employ an independent penetration agent or penetration team to periodically conduct a
vulnerability analysis on the information system as deemed necessary.
Due to the interdependency of the Metropolitan Government network and resources, any
vulnerability assessment scan shall be performed in cooperation with the Metropolitan
Government Information Technology Services Department and shall follow defined and approved
procedures for running such scans.
6. Miscellaneous
This policy shall supersede all previous Metropolitan Government technical vulnerability
management policies. This policy may be amended or revised at any time. Users are responsible for
periodically reviewing this policy for any revisions and for adhering to those revisions.
DEFINITIONS
Terms used in this policy are defined in the Metropolitan Government Information Security Glossary.
CONTACT
Questions should be directed to (615) 862-6222 or by email at [email protected], or by mailing them to
CISO, Information Technology Services Department, 700 2nd Avenue South, Suite 301, P. O. Box 196300,
Nashville, TN 37219-6300.
________________________________ _____________________
Keith Durbin Date
Director of Information Technology Services
Metropolitan Government of Nashville and Davidson County
REFERENCES
REVISION HISTORY