The scanner is capable of meeting all the requirements outlined for RA-5 priorities low, medium, high. The appliance performs assessments against system security policies and identifies vulnerabilities with CVE scoring. It has customizable templates that measure compliance with SOX, PCI DSS, HIPAA, ISO 27002, FISMA, and FDCC (Federal Desktop Core Configuration) baseline. It supports content that follows XCCFD, OVAL, and SCAP (Security Content Automation Protocol).Compliance with the security policies can be stored and tracked within the asset manager capability. Periodic assessments, credentialed or not, can be done manually or scheduled. Correlation of known threats can be made against assets that have had their vulnerabilities assessed within the manager. Remediation’s can then be quickly applied. Credentialed based scans are available for Microsoft Windows, Unix/Linus, Cisco IOS and VMware platforms.
There is a documented process in place to perform these assessments. The results of the scan are evaluated by Office of Information Security staff with knowledge of the system environment, data, and operational use. The risk of any vulnerability is weighed against this background and based on that a remediation plan is established. Results are discussed and shared with system administrators.