This document provides guidelines for Sony Pictures Entertainment's vulnerability management framework. It outlines the roles, processes, systems and policies involved in identifying, assessing, remediating and validating the remediation of vulnerabilities on Sony's network. The framework utilizes Preventsys to schedule vulnerability scans by QualysGuard and track remediation tasks. It also describes how McAfee products are used and configured through policies and exceptions to help reduce vulnerabilities.

1. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
Created By: Gregg Jackson
For: Sony Pictures Entertainment
The information in this document is proprietary, contains trade secrets, commercial, and financial
information that is privileged and confidential. No part of this document can be disclosed outside
of 120° Venture Construction Inc. or Customer without the direct consent of one of its officers. This
document and the information in it cannot be duplicated, used, or disclosed in whole or in part for
any purpose other than its original intent.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
1 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.
V U L N E R A B I L I T Y M A N A G E M E N T F R A M E W O R K
P R O C E D U R A L G U I D E L I N E S

2. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
Table of Contents
1. INTRODUCTION......................................................................................................................................3
2. VULNERABILITY MANAGEMENT SYSTEM ARCHITECTURE...................................................7
3. VULNERABILITY MANAGEMENT FRAMEWORK ROLES...........................................................9
4. MANAGE POLICIES..............................................................................................................................14
5. ADD ASSET OR NETWORK SEGMENT...........................................................................................16
6. CHANGE OR EDIT ASSET...................................................................................................................18
7. REMOVE ASSET FROM NETWORK..................................................................................................20
8. MANAGE SCANNERS...........................................................................................................................22
9. MANAGE ASSESSMENTS....................................................................................................................24
10. ANALYZE RESULTS, REMEDIATION AND COMPLIANCE VALIDATION.........................27
11. MCAFEE TEST PROCESS....................................................................................................................30
12. MCAFEE DEPLOYMENT PROCESS.................................................................................................32
13. MCAFEE POLICY CHANGES.............................................................................................................34
14. MCAFEE PROACTIVE AND REACTIVE RESOLUTION PROCESS..........................................37
15. APPENDICES ........................................................................................................................................39
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
2 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

3. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
1. INTRODUCTION
Vulnerability is defined as a weakness in a network infrastructure that has been exploited by a threat that
may potentially destroy, damage, or compromise a network asset. Vulnerability Management is defined
as, the overall supervision of vulnerabilities within an organization and how management of those
vulnerabilities will be achieved through distribution of duties and configuration of systems to measure
compliance against organizational policies.
The Vulnerability Management Framework Procedural Guidelines document is established to meet the
requirements of the Sony Global Information Security Policy section 10.6, “Technical Vulnerability
Management”. The purpose of the Vulnerability Management Framework Procedural Guidelines
document is to provide general information about the systems, activities, roles and business rules that
support the vulnerability management objective at Sony Pictures Entertainment.
1.1. OVERVIEW
The foundation of the Sony Pictures Entertainment (SPE) vulnerability management framework
begins with a team of representatives from various Information Technology departments who are
tasked to preserve the policies, processes and business rules, and when effectively managed will
serve to continuously support the comprehensive systems specifically implemented to reduce the
risks associated with vulnerabilities. The Vulnerability Management Framework Procedural
Guidelines document exists to support the proposed Vulnerability Management Lifecycle,
illustrated below:
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
3 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

4. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
1.2. REVISION HISTORY
Version Date Author Details of Change
1.0 10/14/2008 G. Jackson Completed First Draft
1.3. GLOSSARY OF TERMS
Vocabulary Definition
Accepted Risk Vulnerabilities that will not be remediated for a specific reason.
No corrective action is needed for the identified risk.
Alternative Policy A set of policy rules for any McAfee products that are
considered too significant to be configured as an exception, and
are instead setup as an alternative policy. Alternative policies
are applied to a defined group of end nodes.
Assessment (scan) A methodical evaluation of an organization’s IT weaknesses of
infrastructure components and assets and how those
weaknesses can be mitigated through proper security controls
and recommendations to remediate exposure to risks, threats,
and vulnerabilities.
Asset An asset is defined as any device that can be connected to
network that will result in a connection with an IP address, thus
exposing the asset and network to vulnerabilities. Assets make
up a Network or Asset Group. Network and Asset Groups are
one in the same.
Baseline Policy A set of policy rules for any McAfee product deemed to be the
set of rules that should be applied to all end nodes.
Baseline Report A report providing the baseline knowledge necessary to execute
specific vulnerability management activities. Baseline reports
may also be used to identify common trends or expose gaps and
can be used as a tool to proactively refine the vulnerability
management process on an on going basis.
Claimed/ Resolved Vulnerabilities that the Remediation Analyst classifies as fixed.
Compensating Control An internal control that reduces the risk of an existing or
potential control weakness resulting in errors and omissions.
Compliance Validation The method in which the Information Security works in
collaboration with Internal Audit, VMTF and any other required
vulnerability management representatives to review the
remediation task disposition and ensure compliance in
accordance with GISP Activity Matrix requirements to
remediate level 3, 4 and 5 vulnerabilities for external servers and
level 4 and 5 vulnerabilities for internal servers.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
4 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

5. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
Vocabulary Definition
ePO ePolicy Orchestrator is McAfee’s centralized administration
console.
Exception Rule Any configured alternative path to a specific rule(s) within a
Baseline Policy.
False Negative A false negative occurs when a vulnerability exists, but the
detection system failed to identify it.
False Positive A false positive is a vulnerability that has been reported, but
does not exist, because the detection mechanism was in error.
HIPS Host Intrusion Prevention System is McAfee’s single console
patch management system.
McAfee VirusScan 8.5i Is a network internet security product developed by McAfee
that provides antivirus protection, secure firewall, and spyware
removal.
Network Group A customized grouping of IP addresses or assets that together
make up a network group. Network Groups are created and
categorized to establish user visibility and help ease control and
management of all assets from a global perspective. Each
region consists of its own network group. Network Group is
also commonly called a Network Segment.
Penetration test Is a test conducted to identify potential loopholes that may
expose a network weakness and when reported and acted on, it
will allow application owners to fix the breach before it is can be
taken advantage of by an external intruders.
Policy Is an organizational rule that when effectively implemented will
determine how well physical assets are protected.
Preventsys The primary system for scheduling vulnerability scans. In the
SPE environment, Preventsys is configured to schedule and
trigger the QualysGuard vulnerability scanning (assessments).
Preventsys Discovery Scan Scans for the most common TCP and UDP ports thus identifying
all of the assets connected to the network at any given time.
Preventsys Full Scan A full vulnerability scan targeting TCP and UDP ports.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
5 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

6. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
Vocabulary Definition
Preventsys Validation Scan Scans for all tasks that have been set to Claimed /Resolved,
Accepted Risk or False Positive. Once the Validation Scan runs,
all remediated tasks will be set to be verified.
Quality Center TBD
QualysGuard The primary system that scans and detects vulnerabilities and
policy violations. . In the SPE environment, QualysGuard is
configured to search for vulnerabilities on the SPE network and
then report the results back to Preventsys for further analysis
and initiate remediation activities.
Remediation The action taken to reduce; quarantine and remove
vulnerabilities from the network.
Remedy System Customizable ticket tracking database application.
Standard A standard is defined as the actions an organization takes to
meet the requirements of a policy.
TCP Transmission Control Protocol. A standard essential network
communication mechanism. (Refer to Appendix 9.2 ‘TCP and
UDP Ports’ for additional information)
UDP User Datagram Protocol. A standard essential network
communication mechanism. (Refer to Appendix 9.2 ‘TCP and
UDP Ports’ for additional information)
Vulnerability A weakness in the network infrastructure that may be exploited
by a threat that may potentially destroy, damage, or
compromise an IT asset. Vulnerabilities are categorized by
severity level, with severity level 5 being most critical. Severity
level 5 vulnerabilities take precedence during any prioritization
assessment of vulnerabilities. The current Vulnerability
Management Framework Lifecycle protocol primarily addresses
severity level 3, 4 and 5 vulnerabilities and will be adamantly
handled accordingly based on diligent risk analysis measures.
Vulnerability Management The overall responsibility and management of vulnerabilities
within an organization and how that management of
vulnerabilities will be achieved through distribution of duties.
From a system perspective, currently SPE uses ePO, VirusScan
and HIPS to protect workstation and server assets.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
6 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

7. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
2. VULNERABILITY MANAGEMENT SYSTEM ARCHITECTURE
2.1. OVERVIEW
To gain a comprehensive understanding of Vulnerability Management, it is initially important to
understand the system architecture. The vulnerability management systems are the focal point of
vulnerability management and will serve as the primary catalysts to all vulnerability
management processes, activities and business rules.
Vulnerability Management begins with the Preventsys system which manages scheduling of
vulnerability assessments, commonly referred to as vulnerability scans. When Preventsys
triggers a scheduled vulnerability scan it sends a command to the QualysGuard system to begin
scanning for vulnerabilities.
The QualysGuard system completes the scan cycle on a particular network group and then
communicates the data results back to Preventsys, thus initiating an analysis of results including
prioritization of vulnerabilities based on criticality severity. Subsequently, vulnerabilities are
assigned to a Remediation Analyst to begin the remediation and compliance validation processes.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
7 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

8. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
2.2. MCAFEE PREVENTSYS
Preventsys is a comprehensive vulnerability management software application that centrally
manages vulnerabilities. Preventsys initiates the vulnerability management process by
launching scheduled vulnerability scans, also called assessments and accomplishes the following:
• Manages assessment scheduling (manual and automated)
• Manages security risks across the network, both internal and external
• Quickly identifies assets at risk
• Produces prioritized remediation tasks based on pre-defined criticality measurements
associated to business defined policies
• Automatic notification of risk status to management
2.3. QUALYSGUARD
QualysGuard Guard is a comprehensive software application that achieves both vulnerability
management and policy compliance initiatives. The QualysGuard service accurately detects
vulnerabilities and then reports the results back to the Preventsys system as illustrated in the
system architectural diagram. QualysGuard service accomplishes the following:
• Application specific vulnerability checks
• Integrates additional technical compliance components to support process re-engineering
and accommodate shifting business objectives
• Repeatable risk assessment on the fly
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
8 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

9. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
3. VULNERABILITY MANAGEMENT FRAMEWORK ROLES
The roles of the vulnerability management team are without a doubt the most important components of
the vulnerability management framework. The vulnerability management framework team supports all
vulnerability management objectives.
Working collaboratively, the following individuals connect the systems, administer the applications and
perform the activities of the vulnerability management lifecycle:
3.1. ASSET ADMINISTRATOR
• Responsible for maintaining the valid list of IP ranges (Network Group) for all assessment
tools.
• Works with the regional teams and Site Administrators to maintain the asset inventory in
each region.
• Responsible for reconciling differences between inventory and discovery scans.
• Works with Control Owners and VMTF to define and maintain platform support policy and
standards for each domain.
• Works with Control Owners and VMTF to define and maintain the standard build and
configuration documentation for each domain.
3.2. ASSET OWNER
• Responsible for communicating changes of an asset to all applicable vulnerability
management personnel, i.e. Change Control, Tool Administrator, VMTF, etc.
• Identifies any asset changes and communicates to the Tool Administrator so that the
appropriate system updates can be applied accordingly.
3.3. CHANGE CONTROL
• Communicates system changes initiated by vulnerability management activities that may
impact or disrupt any production processing environment.
• Develops and enforces IT Change Control practices, procedures and policies in accordance
with GISS/GISP measures.
• Communicate vulnerability management system change schedules and corresponding
information to impacted customer communities.
• Works with Line of Business and application teams to define windows for assessment scans.
• Collaborates with Tool Administrators to ensure implementation of assessment scheduling.
• Works with Control Owners to ensure coordination of all remediation activities that require
an outage outside the standard maintenance schedule.
• Works with Asset Administrators to ensure all environment changes are administered to
each of the affected asset repositories.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
9 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

10. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
3.4. CONTROL OWNER
• Will assess results of vulnerability scans to determine remediation activity schedule with
Remediation Analyst.
• Determines schedule required to remediate level 3, 4 and 5 vulnerabilities.
• Provide feedback on any results that warrant additional information prior to executive
reporting.
• Maintains ownership of specific asset group a.k.a. network groups.
• Accountable for remediation of all vulnerabilities within their asset group.
• Works with Remediation Analyst in the prioritization of vulnerabilities and assignment of
remediation activities.
• Responsible for the identification and implementation of compensating controls.
3.5. ENTERPRISE QUALITY ASSURANCE (EQA)
• Responsible for ensuring all vulnerability management assessments are performed on
applications are part of the SDLC.
• Works with application teams to remediate all identified vulnerabilities.
• Responsible for QA of all on-going changes to the vulnerability management lifecycle.
3.6. EPO GLOBAL ADMINISTRATOR
• Maintains the ePO Server.
• Manages ePO policies for all workstation McAfee products.
• Manages ePO user access and privileges to ePO for workstation users.
• Monitors ePO reports on an ongoing basis.
• Identifies issues and trends and resolves issues where appropriate.
• Ensures that all assets are on the required version of a McAfee product.
• Identifies policy adjustments when necessary.
• Coordinates the development of all policy rules with the Site Administrators.
• Coordinates with Site Administrators, EQA and Change Control to develop and maintain the
global testing and deployment schedule for all McAfee products.
• Communicates all baseline policy information and policy changes via the Change Control
process.
• Ensures that all Quality Center reported issues are tracked and resolved.
• Manages all server upgrades and back-end database administration.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
10 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

11. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
3.7. GLOBAL SUPPORT DESK (GSD)
• TBD
3.8. INTERNAL AUDIT
• Periodically reviews the VM lifecycle for compliance with the GISS/GISP measure.
• Recommends lifecycle updates to the appropriate Vulnerability Management contact points
to facilitate refinement of process re-engineering based on on-going analysis and best
practices.
3.9. INFORMATION SECURITY
• Responsible for the maintenance of the policy repository.
• Responsible for importing and exporting of custom policies in compliance with the
GISS/GISP measure.
• Ensure accurate GISP/GISS mapping of policies between systems.
• Collaborates with the Remediation Analyst to determine methods for reducing the number of
false positives.
• Ensure the compliance of VM Lifecycle with the GISS/GISP measures.
• Facilitates VM lifecycle process review sessions with Internal Audit and Change Control and
ensures suggested updates are incorporated into the process.
• Develops trend analysis security metric reports to provide visibility and decision support to
senior management regarding the state of vulnerabilities and policy violations across SPE's IT
landscape.
3.10. NETWORK TEAM
• Business Unit specific. Requires definition from the Network Team and executive approval.
3.11. REMEDIATION ANALYST
• Ensure assets are compliant.
• Remediates vulnerabilities.
• Coordinates with McAfee when issues arise.
• Works with Control Owner to document remediation plan to be reviewed with Change
Control and Enterprise Quality Assurance (EQA) to help determine remediation activities,
scheduling, and testing activities.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
11 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

12. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
3.12. REPORTING ANALYST
• Identifies and defines reporting needs as requested or needed by the business.
• Runs Preventsys Reports.
• Schedules reports.
• Works with stakeholders and Control Owners to manage their reporting needs.
3.13. SITE ADMINISTRATOR
• Tests McAfee products within their respective workstation environment including
scheduling deployment to test servers, addressing issues reported by testers and users, and
reviewing ePO logs for issues.
• Reports all issues identified in test via Quality Center.
• Ensures that all testing is completed within the agreed upon schedule.
• Contributes to the development of the global baseline policy.
• Identifies policy expectations specific to region.
• Schedules all test, pilot and production deployments via ePO.
• Produces and analyzes ePO reports.
• Identifies any issues or trends specific to region and remediates systems that are not
compliant.
• Continued on next page
• Reports all issues identified in production to the ePO Global Administrator and the SPE
Global Support Desk.
• Reviews all ePO communicated events and addresses as appropriate.
3.14. TOOL ADMINISTRATOR
• Applies patches and version updates to tools accordingly and in a timely manner.
• Performs adhoc vulnerability assessments when requested.
• Schedules all vulnerability assessments according to defined business needs.
• Manages and maintains Scanner tools
• Coordinates activities within scope of responsibilities and communicates to the appropriate
vulnerability management team personnel and / or vendors to resolve issues.
3.15. VULNERABILITY MANAGEMENT LIFECYCLE MANAGER
• Coordinates with Vulnerability Management Task Force (VMTF) to obtain approval of
proposed compensating controls and accepted risks.
• Responsible to ensure the implementation of all recommendations of the VMTF.
• Responsible to ensure the integrity of the Vulnerability Management Lifecycle.
• Works with the VMTF to determine the vulnerability coverage in each execution.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
12 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

13. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
3.16. VULNERABILITY MANAGEMENT TASK FORCE (VMTF)
• Working council of stakeholders from each domain and is responsible for maintaining the
Vulnerability Management Lifecycle.
• Responsible for defining the duration of the VM Lifecycle.
• Responsible for approving all policy changes to supporting vulnerability management
systems.
• Responsible for approving all platform supporting policies for compliance with vulnerability
management.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
13 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

14. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
4. MANAGE POLICIES
4.1. OVERVIEW
The Sony Pictures Entertainment vulnerability management team will address two kinds of
policies, policies used to determine the coverage provided by a vulnerability scan, and policies
used to determine the vulnerabilities based on the results and analysis of a vulnerability scan.
The process of managing policies is intended to describe how Sony Pictures Entertainment (SPE)
IT and Information Security work together to analyze newly created policies and establish the
technical standards for supporting the new policies. The proposed process for managing policies
is illustrated in section 4.4
4.2. SYSTEMS
• Preventsys
Preventsys maps vulnerability data to specific Global Information Security Policies (GISP). This
information is used to report on corporate compliance with the GISP.
4.3. ROLES
• Tool Administrator – Responsible for updating and maintaining policies within vulnerability
management systems.
• Information Security
• Change Control – Adheres to current Change Control procedures.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
14 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

15. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
4.4. HIGH-LEVEL PROCESS FLOW DIAGRAM
4.5. BUSINESS RULES
DESCRIPTION
1 All SPE GISP policies defined will be reviewed by Information Security first.
2 IT Architecture and Governance will identify the IT staff responsible for establishing the
technical standard by which the policy will be implemented.
3 Information Security will validate that all IT technical standards support the policy.
4 VMTF will review and approve proposed policies and determine the technical standards
needed. NOTE: Any technical standard that impact the system to a high degree will be
assessed thoroughly and if required will be channeled through Change Control.
5 VMTF will determine the timeframe by which a policy must be implemented.
6 The IT staff are responsible for implementing all approved technical standards
7 All approved policies will be posted on the intranet site.
8 IT and Information Security must agree to the schedule for implementing a newly defined
policy and the technical standards that will support the policy.
9 Information Security will obtain corporate approval of the schedule to implant all technical
standards.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
15 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

16. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
5. ADD ASSET OR NETWORK SEGMENT
5.1. OVERVIEW
Assets are categorized as physical assets and logical assets. Some examples of physical assets
include routers, firewalls, servers, workstations and laptops. Logical assets include websites,
applications and databases. An asset is one where as a network segment is a grouping of assets.
An example of a network segment is if SPE conducts testing on a potential new application in a
testing lab and it requires eight testing workstations.
The vulnerability management objective is concerned with all assets that connect to the SPE
network internal or external and it is important that all new assets and network segments are
properly added to the Preventsys system so that SPE and the vulnerability management team can
successfully track, monitor and maintain assets.
To manage new assets or network groups connected to the SPE network, the Remedy system will
be the proposed system of choice to facilitate tracking and history. The proposed process for
adding an asset or network group is illustrated in section 5.4
5.2. SYSTEMS
• Remedy
• Preventsys
5.3. ROLES
• Asset Owner - Responsible for opening a Remedy ticket when a new asset or network
segment needs to be connected to the network.
• Tool Administrator - Responsible for adding the asset or network segment to the Preventsys
system and maintaining the policies of the asset per asset category requirements. The Tool
Administrator is also responsible for immediately scanning the new asset or network
segment for vulnerabilities.
• Change Control – Adheres to current Change Control procedures.
• VMTF
• Network Team – Adheres to current business practices.
• Remediation Analyst – Responsible for remediating any vulnerabilities identified.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
16 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

17. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
5.4. HIGH-LEVEL PROCESS FLOW DIAGRAM
5.5. BUSINESS RULES
STEP DESCRIPTION
1 All requests for IP addresses will be initiated via the Remedy system
2 All requests for network segments will be initiated via the Remedy system.
3 All newly assigned IPs and network segments will be communicated to the requestor, Tool
Administrator, Change Control and Asset Owner (if not the requestor).
4 All new network segments and assets will be immediately scanned.
5 Asset support policies will be maintained for each category of assets on a day to day basis.
6 Rogue assets that are discovered on the network need to be registered and properly
channeled through the Remedy system.
7 Each business unit must identify information assets in its possession and draw up and
maintain an inventory of all important assets.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
17 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

18. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
6. CHANGE OR EDIT ASSET
6.1. OVERVIEW
Considering the evolving business needs existing in the Sony Pictures Entertainment
environment, assets change frequently and it is important that the applicable roles of the
vulnerability management team pay meticulous attention this occurrence and administer a plan
to properly track, test, and control changing assets. The proposed process is illustrated in section
6.4 High-Level Process Flow Diagram.
6.2. ROLES
• Asset Owner - Responsible for opening a Remedy ticket when an asset or network segment
needs to be technically changed or changes classification (category)
• Tool Administrator - Responsible for updating the policies associated with the asset or
network segment, if applicable. Also responsible for immediately scanning the asset or
network segment for vulnerabilities.
• Change Control – Adheres to current Change Control procedures.
• VMTF
• Network Team – Adheres to current business practices.
• Remediation Analyst – Responsible for remediating any vulnerabilities identified.
6.3. SYSTEMS
• Preventsys
• Remedy
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
18 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

19. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
6.4. HIGH-LEVEL PROCESS FLOW DIAGRAM
6.5. BUSINESS RULES
DESCRIPTION
1 Preventsys will be configured to automatically notify the Tool Administrator when vulnerabilities are
present.
2 The Asset Owner will open a Remedy ticket any time their asset changes.
3 The Remediation Analyst will remediate any vulnerabilities identified.
4 The Tool Administrator will apply the necessary policy updates to Preventsys based on the asset category.
5 The Network Team, Change Control and VMTF will be notified of any asset change based on proper
assessment and impact to the network.
6 < insert additional Business Rule identified >
7 < insert additional Business Rule identified >
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
19 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

20. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
7. REMOVE ASSET FROM NETWORK
7.1. OVERVIEW
The Preventsys system stores the assets that are part of a specific network group so that they can
be routinely scanned for vulnerabilities. If an asset is no longer connected to the network, it will
be time consuming and difficult to track the asset.
An asset may be removed from the network to undergo a hardware upgrade or permanently
removed from the network; regardless of the scenario it is essential that communication and
proper procedures are followed to help manage this process. Illustrated in section 7.4 is the
proposed process for removing an asset from the network.
7.2. ROLES
• Change Control – Adheres to the current Change Control procedures.
• Tool Administrator – Responsible for removing the asset from the network group within
Preventsys and then performing a discovery scan to make sure that the removed asset does
not appear when results are returned.
• Asset Owner – Responsible for opening a Remedy ticket to properly communicate the
business need for removing the asset and to ensure that the asset is tracked and reported for
historical purposes and audit.
7.3. SYSTEMS
• Remedy
• Preventsys
7.4. HIGH-LEVEL PROCESS FLOW DIAGRAM
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
20 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

21. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
7.5. BUSINESS RULES
DESCRIPTION
1 The Tool Administrator will remove the asset from Preventsys immediately upon notification.
2 The Asset Owner will be responsible for opening a Remedy ticket when removing an asset.
3 A report will be produced that captures the asset history for audit trail purposes.
4 < insert additional Business Rule identified >
5 < insert additional Business Rule identified >
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
21 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

22. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
8. MANAGE SCANNERS
8.1. OVERVIEW
Sony Pictures Entertainment currently uses the QualysGuard system to perform vulnerability
assessments. As previously documented, the Preventsys system triggers the QualysGuard
system to perform the vulnerability assessment. QualysGuard is customized with specific
policies to identify vulnerabilities and check for common threats that exists in today’s networking
world. Albeit, every organization configures their systems differently based on the nature of the
business, but most organizations practice many of the same methods to help manage and
maintain their vulnerability management systems.
Outlined below in sections 8.2 Role and 8.3 System Management is a detailed listing of the
proposed responsibilities, activities and scheduling to facilitate scanner management.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
22 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

23. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
8.2. ROLE
• Tool Administrator
o Responsible for customizing each tool with SPE policies and standards in accordance
with GISP
o Responsible for maintaining each tool on a continuous basis to ensure protection of
the SPE network infrastructure.
o Serve as the primary point of contact for all scanner device issues and will
communicate with the vulnerability management team on an as needed basis.
o Required to contact the respective tool vendor to resolve any issues that cannot be
resolved internally contingent upon initial thorough analysis.
o Ensures that the device is on and properly functioning and meeting performance
expectations 24 hours a day 7 days a week.
o Manages licensing of each tool to ensure that the device is up to date.
o Communicates all maintenance related tasks to Change Control such as applying
security patches or version updates, configuration changes and enhancement
requirements per policy and standard update priority.
8.3. SYSTEM MANAGEMENT
DEVICE ACTIVITY SCHEDULE COMMENTS
QualysGuard < insert associated business activity > <system defined
format>
Preventsys < insert associated business activity > <system defined
format>
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
23 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

24. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
9. MANAGE ASSESSMENTS
9.1. OVERVIEW
Vulnerability Assessments analyze the security of the SPE network and are configured within the
Preventsys system. When Preventsys launches or schedules vulnerability assessments, the
QualysGuard service safely and accurately detects vulnerabilities using its inference-based
scanning engine, an adaptive process that intelligently runs only tests applicable to each host
scanned.
The QualysGuard service first gathers information about each host, such as its operating system
and version, ports and services, and then selects the appropriate test modules. This information
is then reported back to Preventsys for analysis, remediation management and reporting. The
following is a list of scans that will be routinely performed based on the agreed schedule:
• Discovery – Scans TCP and UDP ports. This scan does not analyze for full vulnerabilities but
only reports what is commonly known as informational vulnerabilities that give indication of
the type of server the scanned system may be. This scan is useful in determining the
Operating Systems running on a server, thus would be beneficial when administering
policies.
• Lite – Scan is configured per business need requirements.
• Preventsys Full Scan – Scan is configured per business need requirements.
• Database – Scans for vulnerabilities at the database port level.
• Preventsys Validation Scan - Scans for all tasks that have been set to Claimed /Resolved,
Accepted Risk or False Positive. Once the Validation Scan runs, all remediated tasks will be
set to be Claimed/Resolved.
The diagram illustrated in section 9.4 below is a high-level proposed process flow of the steps
required to effectively manage vulnerability assessments.
9.2. SYSTEMS
• Preventsys
9.3. ROLES
• Tool Administrator
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
24 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

25. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
9.4. HIGH-LEVEL PROCESS FLOW DIAGRAM
9.5. BUSINESS RULES
DESCRIPTION
1 When scheduling a vulnerability assessment, the format of the date and time must be yyyy-mm-
ddTHH:mm:ss (for example, 2004-07-27T22:36:20) and is always in GMT.
2 The business unit control owners will determine when to run a vulnerability assessment
3 The Tool Administrator will ensure that the QualysGuard results accurately populate to Preventsys.
4 Only servers that are categorized into a network group will be targeted for vulnerability assessments.
5 Servers IP addresses will be set up into a Network Group based on the combination of physical asset and
operating system.
6 If a server has multiple IP addresses, the Asset Owner must identify the single instance of IP address and
Operating System that should be assigned to a network group and targeted for vulnerability assessments.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
25 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

26. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
9.6. ASSESSMENT SCHEDULE
ASSESSMENT NAME TYPE NETWORK GROUP SCHEDULE COMMENTS
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
26 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

27. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
10. ANALYZE RESULTS, REMEDIATION AND COMPLIANCE VALIDATION
10.1. OVERVIEW
The ability to analyze and prioritize vulnerabilities based on criticality level and at the same time
evaluate the impact to the business can be difficult. Although a vulnerability’s criticality level
may be justifiably accurate when it is reported back into the Preventsys system, there will be
many instances where it will be difficult to assess and classify the vulnerability. Those instances
will require meticulous assessment and possibly a review session involving several vulnerability
management team members. The proposed activities to help manage this process are illustrated
in section 10.4 High-Level Process Flow Diagram.
10.2. ROLES
• Control Owner
• Remediation Analyst
• Reporting Analyst
• Information Security
10.3. SYSTEMS
• Preventsys
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
27 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

28. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
10.4. HIGH-LEVEL PROCESS FLOW DIAGRAM
10.5. BUSINESS RULES
DESCRIPTION
1 A global vulnerability scan will be run every month, and vulnerabilities must be remediated
and in compliance on a quarterly basis. (The business shall establish a quota guideline in
relation to the number or percentage of vulnerabilities that must be in compliance within the
90 day period)
2
The vulnerability scan cycle is as follows:
Day 0: Baseline results that must be remediated on Day 90
Day 30: Opportunity 1 to verify remediated vulnerabilities
Day 60: Opportunity 2 to verify remediated vulnerabilities
3 Remediation tasks will be assigned by a member of the server team responsible for the server,
or automatically (per business rules provided by the applicable server team)
4 Compliance of vulnerabilities will be achieved within 90 days of the Day 0 scan. (The
business shall establish a quota guideline in relation to the number or percentage of
vulnerabilities that must be in compliance within the 90 day period).
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
28 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

29. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
DESCRIPTION
5 An executive report will be produced for the Day 0 vulnerability scan and the Day 90
vulnerability scan.
6 Vulnerabilities identified as Accepted Risk or False Positives must be accompanied with an
explanation regarding the status and clearly defined in the Preventsys system.
7 During Compliance Validation, the (TBD) will review and approve Accepted Risks or False
Positives.
8
When Preventsys remediation tickets are automatically generated after each assessment, they
must be assigned to a Remediation Analyst within (X) amount of time.
9 Remediation activities will require adherence to the change control process.
10 Remediation reporting and trending analysis should be regularly checked by business unit
control owners.
11 Reports should be saved in .PDF format prior to publishing.
12 Information Security must review scan data for accuracy and validate that the data meets
compliance audit standards.
13 Business unit owners must review scan data for accuracy.
14 All vulnerabilities and violations with a criticality level of 70 or higher will be assigned
immediately to a Remediation Analyst.
15 All vulnerabilities and violations with a criticality level of 69 or lower will be assigned, but
will be lower priority to 70 or higher vulnerabilities.
16 No vulnerability will be unassigned.
17 The Control Owner will assess the results of each vulnerability test, and will provide
feedback on any results that warrant additional information prior to executive reporting.
18 Remediation plans will be reviewed with Change Control to schedule remediation activities
when necessary.
19 Validation scans will be run every 3 weeks.
20 After each Validation Scan is performed, all assigned tasks that are not already set to
Claimed/Resolved, Accepted Risk or False Positive should be set to Claimed/Resolved.
21 Remediation Task due dates will be scheduled by the Control Owner.
22 Remediation Tasks will be closed by the person assigned to the task.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
29 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

30. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
11. MCAFEE TEST PROCESS
11.1. OVERVIEW
As is the case for any software application, McAfee products are frequently updated and require
the appropriate personnel to administer the updated patches and install new versions. In section
11.3 below, a proposed process is illustrated to ensure that the appropriate personnel are
accountable for the activities involving testing of new patches or versions of McAfee products
and subsequently, the appropriate communication protocols are followed so that all impacted
vulnerability management team members are well informed.
11.2. ROLES
• Tool Administrator
• Information Security
• ePO Global Administrator
• Site Administrator
11.3. HIGH-LEVEL PROCESS DIAGRAM
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
30 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

31. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
11.4. BUSINESS RULES
DESCRIPTION
1 The Tool Administrator will update the appropriate McAfee product on as needed basis.
2 Prior to releasing any updates to a McAfee product the ePO Global Administrator will
communicate to all impacted vulnerability management team personnel.
3 Prior to releasing any updates to production, any McAfee update version or patch will be
thoroughly tested.
4 The ePO Global Administrator will notify Change Control and Site Administrators
immediately after the change is implemented.
5 < insert additional Business Rule identified >
6 < insert additional Business Rule identified >
7 < insert additional Business Rule identified >
8 < insert additional Business Rule identified >
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
31 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

32. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
12. MCAFEE DEPLOYMENT PROCESS
12.1. OVERVIEW
Subsequent to testing of a McAfee product, the appropriate vulnerability management team
members will engage in a deployment process to ensure the implementation is performed
efficiently and has minimal disruption to the normal courser of vulnerability management
activities. Section 12.3 illustrates the proposed process for managing deployments of McAfee
products.
12.2. ROLES
• Site Administrator
• ePO Global Administrator
• Change Control
12.3. HIGH-LEVEL PROCESS DIAGRAM
12.4. BUSINESS RULES
DESCRIPTION
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
32 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

33. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
1
2
3
4
5
6
7
8
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
33 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

34. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
13. MCAFEE POLICY CHANGES
13.1. OVERVIEW
13.2. ROLES
• Site Administrator
• ePO Global Administrator
• Change Control
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
34 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

35. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
13.3. HIGH-LEVEL PROCESS DIAGRAM
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
35 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

36. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
13.4. BUSINESS RULES
DESCRIPTION
1 Policy changes are made by the ePO Global Administrator only.
2 A baseline policy shall be implemented by all regions.
3 Any exception to the baseline policy shall be configured as an exception rule in ePO rather
than an alternative policy (Unless it is determined that an alternative policy is necessary).
4 Site Administrators are responsible for the management of an alternative policy, if it is
determined that it does not apply globally, otherwise the ePO Global Administrator will be
responsible.
5 Site Administrators will complete testing within the agreed upon timeframe
6
7
8
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
36 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

37. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
14. MCAFEE PROACTIVE AND REACTIVE RESOLUTION PROCESS
14.1. OVERVIEW
Management of any organization would mutually agree that a proactive approach spending
some time routinely assessing procedures in any new process and discussing ideas for process
improvement would help to avoid unforeseeable issues and be beneficially cost effective.
14.2. ROLES
• Site Administrator
• ePO Global Administrator
• Global Support Desk (GSD)
14.3. HIGH-LEVEL PROCESS DIAGRAM
14.4. BUSINESS RULES
DESCRIPTION
1
2
3
4
5
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
37 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

38. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
38 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.

39. 1 2 0 ° V E N T U R E C O N S T R U C T I O N , I N C .
15. APPENDICES
15.1. VULNERABILITY MANAGEMENT FRAMEWORK TEAM
Region Contact Department Role Phone E-Mail
Asia Pacific TBD
North
America
TBD
Latin
America
TBD
UK TBD
15.2. TCP AND UDP PORTS
15.2.1. TCP Ports
TCP stands for Transmission Control Protocol. Using this method, the computer
sending the data connects directly to the computer it is sending the data it to, and stay
connected for the duration of the transfer. With this method, the two computers can
guarantee that the data has arrived safely and correctly, and then they disconnect the
connection. This method of transferring data tends to be quicker and more reliable, but
puts a higher load on the computer as it has to monitor the connection and the data
going across it. A real life comparison to this method would be to pick up the phone
and call a friend. You have a conversation and when it is over, you both hang up,
releasing the connection.
15.2.2. UDP Ports
UDP stands for User Datagram Protocol. Using this method, the computer sending the
data packages the information into a nice little package and releases it into the network
with the hopes that it will get to the right place. What this means is that UDP does not
connect directly to the receiving computer like TCP does, but rather sends the data out
and relies on the devices in between the sending computer and the receiving computer
to get the data where it is supposed to go properly. This method of transmission does
not provide any guarantee that the data you send will ever reach its destination. On the
other hand, this method of transmission has a very low overhead and is therefore very
popular to use for services that are not that important to work on the first try. A
comparison you can use for this method is the plain old US Postal Service. You place
your mail in the mailbox and hope the Postal Service will get it to the proper location.
Most of the time they do, but sometimes it gets lost along the way. UDP Ports are used
for connections that don’t necessarily need to response from the client, such as
streaming video.
401e0a06-0f15-4760-891e-c7369e5a59f7-160407174150.doc
Template 080825
39 of 39 Printed: 4/7/2016
© 2008 120VC Holdings, Inc. All rights reserved.