The Internal Audit Department released its Vulnerability Assessments, Audit 15-16

This notice is archived content and this information may no longer be accurate.

The City of Tampa Technology and Innovation Security Office (TISO) is committed to ensure the continuation of network and security services to the City of Tampa, its staff and citizens.  In order to manage and reduce risk to the City network infrastructure, the Security Office utilizes Vulnerability Management tools to:

  • Identify newly discovered assets on the network.
  • Prioritize assets with the most critical and/or highest number of vulnerabilities.
  • Proactively identify high risk assets and remediate vulnerabilities by working with system owners.[1]

TISO’s primary focus is to address vulnerabilities that are identified on external or internet facing internet protocol (IP) addresses, as these pose the greatest risk.  The internet facing IP addresses are also required to be scanned by an independent Approved Scanning Vendor (ASV) to meet the Payment Card Industry (PCI) Data Security Standard (DSS).  Compliance with this standard is required by entities involved in payment card processing, and that store, process or transmit cardholder data.  Specifically, 11.2 require these entities to run internal and external network vulnerability scans, at least, quarterly, and after any significant change in the network.  Internal scans can be performed by a qualified staff of the organization.  External scans must be performed by an independent ASV.  Rescans should be performed until the passing scan is achieved.  Rapid7, Inc. is currently the City of Tampa independent ASV for PCI compliance.

 When a vulnerability is identified on the internal network that presents a high business risk, TISO creates a remediation plan, and works it with the system owner (this is generally the administrator for the system, which could be a Technology and Innovation team or a vendor).  TISO is instrumental in facilitating this corrective process, and validating that the vulnerabilities creating the highest risk to the business are remediated. 

[1] Network Vulnerability Management Policy # PL-10.9.1

The report in its entirety can be viewed on