Policy Statement: The purpose of this policy is to establish measures for vulnerability assessments of servers and applications of critical systems
by state agencies utilizing
Commonwealth infrastructure. The scanning and testing
only permitted to target the resources owned or managed by the
or managed through
Enterprise Shared Services.
Policy Maintenance: The Commonwealth Office of Technology, Office of Chief Information Security Officer, Risk
& Compliance Branch, has the responsibility
maintaining and updating this
Authority: KRS 42.726 authorizes the Commonwealth Office of
Technology (COT) to develop policies
that support and promote the effective application of information technology within the executive branch of state government, as well as information technology directions, standards, and necessary management processes to assure full
compliance with those policies.
Applicability: This policy is to be adhered to by all staff,
including employees, contractors,
consultants, temporaries, volunteers, vendors and other workers within the Executive level
cabinet of state government.
Responsibility for Compliance: Each agency is responsible for assuring that appropriate staff within their organizational authority have been made aware of the provisions of this policy, that compliance by
expected, and that the failure to comply with this policy may result in disciplinary action pursuant to KRS
18A up to and including dismissal.
It is also each Agency’s responsibility to enforce and manage this policy. Failure to comply may result in additional
shared service charges to the agency for the Commonwealth Office of
Technology’s efforts to remediate issues
related to the lack of adequate systems/network infrastructure security.
This policy will be
reviewed at least every two years.
Application – A software program designed to perform a
Critical Systems – The servers and computing infrastructure that support an automated business process identified as
critical by the agency based
on the nature
the information stored
(sensitive/confidential), importance to the agency’s mission, or as stipulated by statute or
Penetration Testing – A security testing procedure to
proactively identify computer system vulnerabilities in order to locate and
identify any weaknesses that could be exploited by intruders.
Scanning – An automated process to query computer systems in order to obtain information on
running the level
System – An automated business process
is operated on computer hardware and software and is connected to the network.
Appropriate and Qualified Organization – Any contract or government organization that is not a part of
Agency’s organizational structure and has demonstrated the technical
capability to conduct security
assessments for government agencies.
include state or federal auditing agencies, state
approved security contract vendors, or other external organizations whose capabilities and experience can
be determined sufficient
conduct these assessments.
Agencies will be responsible for
identifying critical infrastructure including servers and applications based on
the nature of the data and system’s business function or mission. Each agency shall engage a third party for assisting with an assessment of all critical systems both upon initial implementation into production use and every two (2) years thereafter. It is the responsibility
agency to engage an appropriate
and qualified organization that is considered an external or third party entity to ensure objectivity and accuracy in the
assessment. It is the responsibility of the agency to ensure that the entity conducting the vulnerability
assessment has signed an appropriate
statement prohibiting the divulgence of sensitive information.
This requirement may not apply to certain state or federal agencies, such as the Auditor of Public Accounts.
It is important that scanning and penetration testing activities are conducted in a manner that will
not disrupt or otherwise degrade the quality of services that the Commonwealth Office of Technology
(COT) provides to agencies not involved in the assessment process. To
this purpose, COT will aggressively block any scans suspected to be causing any service disruption until the activity
can be determined to be a
of an agency’s authorized security assessment, after which, appropriate action
will be taken to allow the assessment activity to continue.