1. Conduct of Vulnerability Assessment and Penetration Testing (VAPT) on New and Existing PRO Systems
The Vulnerability Assessment and Penetration Testing (VAPT) is a security service that focuses on identifying vulnerabilities in the network, server, and system infrastructure. A Vulnerability Assessment (VA) examines, discovers, and discloses known vulnerabilities first. It generates a report that details the vulnerability's categorization and priority. On the other hand, Penetration Testing (PT) seeks to exploit vulnerabilities to identify the level of entrance. PT assesses the level of defense.
The goal of the VAPT is to identify, prioritize and recommend remediation for vulnerabilities and threats that can be exploited to gain unauthorized access or cause harm. This process involves both automated and manual techniques, including vulnerability scanning, penetration testing, and source code reviews. Its purpose is to provide organizations with actionable recommendations to improve their security posture and reduce the risk of cyber-attacks.
Office or Division: | Information and Cybersecurity Division | |
Classification: | Highly Technical | |
Type of Transaction: | G2G – Government to Government | |
Who may avail: | PRO Assets and System Owners | |
CHECKLIST OF REQUIREMENTS | WHERE TO SECURE | |
1. VAPT Request Form 2. PT Waiver Form | VAPT Drive under Google Workspace wherein only VAPT Members have the access to the VAPT Drive. |
CLIENT STEPS | AGENCY ACTIONS | FEES TO BE PAID | PROCESSING TIME | PERSON RESPONSIBLE |
1. Send an email request for VAPT of systems. | 1.1. Acknowledge the request and provide the VAPT Request Form and/or the PT Waiver Form. | None | 15 minutes | Information Systems Analyst II Security Testing Unit |
2. Accomplish the VAPT Request Form and PT Waiver Form. | 2.1. Review the accomplished VAPT Request Form and/or PT Waiver Form and interview the System owner. | None | 1 hours | Information Systems Analyst I/II Security Testing Unit |
None | 2.2. Prepare and develop the VAPT Master Plan. | None | 1 day | Information Systems Analyst II Security Testing Unit |
None | 2.3. Conduct VA. | None | 2 hours | Information Systems Analyst I Security Testing Unit |
None | 2.4. Create and analyze VA Report. | None | 30 minutes | Information Systems Analyst II Security Testing Unit |
None | 2.5. Conduct PT. | None | 1 day | Information Systems Analyst I/II Security Testing Unit |
None | 2.6. Create and Analyze PT Report. | None | 1 hours | Information Systems Analyst I/II Security Testing Unit |
None | 2.7. Compile and create VAPT Initial Report. | None | 1 hours | Information Systems Analyst II/I Security Testing Unit |
None | 2.8. Send to ISA III, ITO II, and ITO III the VAPT Report for approval. | None | 30 minutes | Information Systems Analyst II Security Testing Unit |
None | 2.9. Approve the VAPT Report. | None | 3 hours | Information Systems Analyst III/ Information Technology Officer II /III |
3. Receive the Initial VAPT Report with recommenda-tion/s for remediation. | 3.1. Email Initial VAPT Report with recommendation/s for remediation to System Owner. | None | 15 minutes | Information Systems Analyst II Security Testing Unit |
4. Perform remediation in the system/s and provide remediation reports. | 4.1. Acknowledge receipt of remediations reports. | None | 15 minutes | Information Systems Analyst II Security Testing Unit |
None | 4.2. Conduct another cycle of VAPT on the remediated system/s. | None | 1 day and 2 hours | Information Systems Analyst II/I Security Testing Unit |
None | 4.3. Create, analyze, and compile VAPT reports. | None | 2 hours and 30 minutes | Information Systems Analyst II/I Security Testing Unit |
5. Receive the Initial VAPT Report with recommendation/s for remediation | 5.1. Email the Initial VAPT Report with recommendation/s for remediation to System Owner. | None | 15 minutes. | Information Systems Analyst II Security Testing Unit |
None | 5.2. Create the VAPT Final Report. Note: If the System Owner did not accept the risks, the Client will repeat Client Step 4. | None | 4 hours | Information Systems Analyst II/I Security Testing Unit |
TOTAL: | None | 5 days and 2 hours and 30 minutes |