US Department of Defense Information Assurance: Achieving Successful DITSCAP with eZ publish as a Platform
Sunday 19 November 2006 8:23:00 am
A DOD-authorized network security services evaluator will execute an aggressive Network Vulnerability Security scan using Eye Retina Security Scanner or other evaluation tools on your system in order to identify vulnerabilities or security risks. The risk items will be categorized in a report as High, Medium, Low or Information risk levels. There will also be an overall level associated with the security risk of your system based on the scan results.
Each High and Medium risk item must be rectified within a 48-hour time period. You must submit a remediation report that explains how each risk item was rectified. If a High or Medium risk item cannot be rectified within 48 hours, a written explanation and a schedule of completion must be included with the remediation report.
A second vulnerability scan is performed to find out if the remediation activities have alleviated the risks previously found, and if remediation activities introduced new risks.
If the system was configured according to the appropriate STIGs and Security Configuration Guides prior to the vulnerability scan, the results should be a minimal number of High and Medium risk items. With the One Source system, the initial vulnerability assessment of the DASN (ACQ) One Source website revealed one High risk, one Medium risk and four Low risk items. Each of the risk items was easily rectified via changing simple configuration settings to minimize the vulnerability. The DASN (ACQ) One Source's initial vulnerability risk level overall was rated as LOW.
There were a variety of Information Items that do not necessarily pose risks or threats but rather instill best practices. These items were also modified and a re-scan was conducted. The rescan results for the DASN (ACQ) One Source's final vulnerability risk level overall was rated as NONE.