Cyber Security Policy Manual

b. Admin Requested – The system owner with administrative authority over the equipment may request vulnerability scans as part of the Change Management Process. c. External Web Application Scan – Conducted monthly against all public facing web applications. d. PCI DSS Scan – Conducted quarterly against all external facing systems and applications to ensure that payment card systems are not vulnerable to compromise. e. Internal Environment Scanning – Conducted in the following manner against all internal systems and applications:  Default Password Scan - Monthly  Baseline Network Scan - Monthly  Internal Web application Scan - Monthly  Patch Audit Scan - Monthly 10) Should an IT Administrator identify a reported vulnerability as a potential false positive, the Cyber Security Team must be engaged to verify. 11) Vulnerabilities and other policy violations must be resolved by communicating to the user of record, with denial of network access reserved as a last resort. Compromises and other security breaches must follow the City of Greensboro’s Incident Response Policies and related documents.

Cyber Security Policy Manual

12