Cyber Security Policy Manual

configuration weaknesses. This is required to protect the City’s systems and information from threats and cyber-attacks and comply with all applicable laws and regulations. 2) All systems and applications connected to the City’s network are subject to these assessments, whether or not they are owned or operated by the City of Greensboro. 3) To ensure that vulnerability scans are comprehensive and accurate, scans maybe conducted using an authenticated method. During this method, the vulnerability scanning software logs into the system or application with administrator-level access. 4) The Cyber Security Team requires IT Administrators to review the results of vulnerability scans and evaluate, test and mitigate system and application vulnerabilities appropriately. 5) The timely and consistent mitigation of a reported vulnerability is critical in protecting the City’s systems, applications and data from damage or loss due to threats such as Malware, cyber-attacks or other forms of external and internal threats. For this reason, identified vulnerabilities must be mitigated in accordance with the specific timeframes described here: a. Critical - denotes a vulnerability that an attacker can easily exploit to gain access to a critical system, application or confidential information. These types of vulnerabilities must be mitigated within 1 week. b. Severe - denotes a vulnerability that an attacker could exploit to gain access to a system, application or confidential information. While this class of vulnerabilities is extremely serious, the risk of a breach or compromise is not as urgent as with a critical vulnerability. These types of vulnerabilities must be mitigated within 1 month. c. Moderate - denotes a vulnerability that may allow an attacker to gain access to specific information stored on the system including system settings. The vulnerability allows an attacker to gain access to information that may be used to compromise the system in the future. These types of vulnerabilities must be mitigated within 2 months. d. Low – denotes a vulnerability that may allow an attacker to gain access to system information such as installed software and version numbers. This information can be used in launch various types of reconnaissance attacks against the system in an attempt to gather additional information to gain access to it. These types of vulnerabilities must be mitigated within 3 months . 6) IT Administrators must work with Cyber Security Team to conduct vulnerability assessment against new systems and applications before production migration. 7) In the event of a security vulnerability or incident, devices maybe removed from the network or isolated. IT Administrators will be contacted to identify and resolve the issue. 8) If applicable, system configuration standards must be updated by IT Administrators as new vulnerability issues are found. 9) Vulnerability scans must be conducted frequently and based on the following factors:

Cyber Security Policy Manual

12