Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Policy 7230A - Department of Administration
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
o Penetration testing.<br />
o Password cracking.<br />
o Social engineering.<br />
o Permission elevation.<br />
6.1.1.b Security Assessment Scheduling and Frequency<br />
• External vulnerability assessments should be performed on an<br />
at least annual basis.<br />
• Internal vulnerability assessments should be performed on an<br />
at least bi-annual basis.<br />
• Complete security assessments should be performed on an at<br />
least tri-annual basis.<br />
6.1.1.c Security Assessment Data Management<br />
• Security assessment reports should include the following<br />
information:<br />
o The nature <strong>of</strong> the findings.<br />
o Any increased risk as a result <strong>of</strong> the findings.<br />
o The adjustments that must be made to system risk<br />
impact if no remediation is performed.<br />
o The appropriate risk mitigation techniques that could<br />
be adopted and the adjustments these will have to<br />
system risk.<br />
o The projected cost <strong>of</strong> proposed risk mitigation<br />
strategies.<br />
• Security assessment data should be treated as Very High risk<br />
and all systems that store such data should also be considered<br />
Very High risk. Both data and systems should be afforded<br />
appropriate protection based on this risk classification.<br />
• Assessment data should be retained according to the<br />
following schedule:<br />
o Raw assessment data should be retained for a period<br />
<strong>of</strong> no greater than six months or until all discovered<br />
security problems have been demonstrably resolved,<br />
whichever comes last.<br />
o Assessment reports should be retained for the<br />
equivalent <strong>of</strong> two full subsequent assessment periods.<br />
Reports associated with annually conducted<br />
assessments should be retained two years, reports<br />
associated with bi-annually conducted assessments<br />
should be retained four years, etc.<br />
6.1.2. Perform Security Self Assessment<br />
No applicable Non-Mandatory Baselines.<br />
17