CIO-082 Critical Systems Vulnerability Assessments

Office of the Chief Information Officer Enterprise Policy
CIO-082: Critical Systems Vulnerability Assessments
Effective Date: 05/15/2004
Revision Date: 03/08/2017
Reviewed Date: 02/04/2019
Policy Statement: The purpose of this policy is to establish measures for vulnerability assessments of servers and applications of critical systems by state agencies utilizing the Commonwealth infrastructure.  The scanning and testing is only permitted to target the resources owned or managed by the agency or managed through Enterprise Shared Services.
Policy Maintenance: The Commonwealth Office of Technology, Office of Chief Information Security Officer, Risk & Compliance Branch, has the responsibility for maintaining and updating this policy.
AuthorityKRS 42.726 authorizes the Commonwealth Office of Technology (COT) to develop policies that support and promote the effective application of information technology within the executive branch of state government, as well as information technology directions, standards, and necessary management processes to assure full compliance with those policies.
Applicability:  This policy is to be adhered to by all staff, including employees, contractors, consultants, temporaries, volunteers, vendors and other workers within the Executive level cabinet of state government.
Responsibility for Compliance: Each agency is responsible for assuring that appropriate staff within their organizational authority have been made aware of the provisions of this policy, that compliance by the staff member is expected, and that the failure to comply with this policy may result in disciplinary action pursuant to KRS 18A up to and including dismissal.
It is also each Agencys responsibility to enforce and manage this policy.  Failure to comply may result in additional shared service charges to the agency for the Commonwealth Office of Technologys efforts to remediate issues related to the lack of adequate systems/network infrastructure security.
Review Cycle:  This policy will be reviewed at least every two years.
Application  A software program designed to perform a specific function.
Critical Systems The servers and computing infrastructure that support an automated business process identified as critical by the agency based on the nature of the information stored (sensitive/confidential), importance to the agencys mission, or as stipulated by statute or regulation.


Penetration Testing – A security testing procedure to proactively identify computer system vulnerabilities in order to locate and identify any weaknesses that could be exploited by intruders.
Scanning An automated process to query computer systems in order to obtain information on services that are running the level of security.
System An automated business process that is operated on computer hardware and software and is connected to the network.
Appropriate and Qualified Organization Any contract or government organization that is not a part of the Agencys organizational structure and has demonstrated the technical capability to conduct security assessments for government agencies.  This may include state or federal auditing agencies, state approved security contract vendors, or other external organizations whose capabilities and experience can be determined sufficient to conduct these assessments.
Policy:  Agencies will be responsible for identifying critical infrastructure including servers and applications based on the nature of the data and system’s business function or mission.  Each agency shall engage a third party for assisting with an assessment of all critical systems both upon initial implementation into production use and every two (2) years thereafter.    It is the responsibility of the agency to engage an appropriate and qualified organization that is considered an external or third party entity to ensure objectivity and accuracy in the assessment.  It is the responsibility of the agency to ensure that the entity conducting the vulnerability assessment has signed an appropriate confidentially statement prohibiting the divulgence of sensitive information.  This requirement may not apply to certain state or federal agencies, such as the Auditor of Public Accounts.
It is important that scanning and penetration testing activities are conducted in a manner that will not disrupt or otherwise degrade the quality of services that the Commonwealth Office of Technology (COT) provides to agencies not involved in the assessment process. To this purpose, COT will aggressively block any scans suspected to be causing any service disruption until the activity can be determined to be a part of an agencys authorized security assessment, after which, appropriate action will be taken to allow the assessment activity to continue.




This page was last modified 8/6/2019 5:50 PM
Return to CIO Policies Home Page.