Vulnerability Management
PURPOSE AND SCOPE
Vulnerability Management program, governed by the Information Security Office, is an initiative to manage Information and Networked Systems vulnerabilities for University Schools and Departments. This program is designed to identify and rank, by severity, the vulnerabilities that may exist within the Drexel environment including operating systems, application software, databases, and other software residing on Drexel's servers and network devices. The Vulnerability Management Program outlines the tools and processes for identifying, risk rating, prioritizing, and remediating system vulnerabilities in an effort to manage the residual risk within acceptable limits as defined by the CISO.
PROGRAM OVERVIEW
This program is designed such that it provides a methodology for the identification and remediation of vulnerabilities within the operating systems and software of the Drexel's servers and network devices. The Information Security Office will collaborate with System Owners and Administrators to perform periodic and on-demand scanning to identify vulnerabilities, missing system patches and improper configurations in University systems and networks.
All system administrators and distributed IT staff groups will be required to review the vulnerability scan results for their managed systems and apply patches in a timely manner. System Administrators will be primarily responsible for patching the vulnerable system, replacing the vulnerable system with a different product, or changing system configuration.
Note: The Information Security Office will not be responsible for patching or configuring the systems.
AUTHORITY
Per University Policy Security of Information and Networked Systems (IT-4), "All Computing Systems are subject to security scans by IT. The technical and administrative contacts of registered Computing Systems will generally be told of a scan in advance and will be provided with the results of the scans. In the event that it is determined that the Computing Systems are susceptible to high- and medium-security risks, the System Administrator must cure the problem within 5 working days or be expressly excused by the IT. Systems Administrators should routinely monitor system logs to check for anomalies."
ROLES AND RESPONSIBILITIES
Oversight - CISO, Information Security
Vulnerability Management - Information Security Office
Patch and Mitigation Management - System Owner and Administrator
PROCESS
Vulnerability Intake and Tool Management
Drexel methodology for assessing vulnerabilities includes multiple tools in order to provide a wholistic assessment of the IT environment, as well as a Bug Bounty program and assessments by 3rd parties. Shodan is the designated tool for an initial assessment of Drexel assets that are accessible from the internet, and it provides regular alerts when new devices are discovered. Tenable SecurityCenter is the designated tool for assessing operating systems and network components, and it is configured for automated regular updates to the vulnerability database, risk rankings, and remediation documentation.
Assessment and Remediation Process
The assessment is structured such that devices are assessed, at a minimum, once every 30 days. The results of that assessment are forwarded on to Drexel’s team responsible for the maintenance of the assessed devices. Drexel’s ticketing system is used when appropriate. System Owner/Administrator is responsible for applying patches based on the criticality of the vulnerabilities and within the following timeframes. In some cases, scan results may yield false positives, patches may not be available or applying fixes may not be possible, then risk mitigation techniques must be considered. System Owners will be responsible for reporting false positives and proposing mitigation techniques, subjected to approval from the Information Security Office.
REMEDIATION TIMELINE
Severity CVSS Base Score |
Critical (10.0) |
High (7.0-10.0) |
Medium (4.0-6.9) |
Low (0.0-3.9) |
Informational |
Remediation Time
|
15 days
|
30 days
|
60 days
|
90 days
|
Waived
|
Maximum Waiver Period (after discovery)
|
Not to exceed 6 months
|
Not to exceed 6 months
|
Not to exceed 6 months
|
Maximum 1 year
|
Automatic Waiver
|
Waiver Approval
|
CISO
|
CISO
|
CISO
|
CISO
|
Automatic Waiver
|
Severity Level Definitions
Severity |
Description |
Critical
|
Remote methods for increasing user privileges and obtaining administrative privileges.
|
High
|
Remote attacks against resource availability.
|
Medium
|
Local methods for obtaining complete administrative privileges.
|
Low
|
Local methods for increasing user privileges.
|
Info
|
Local attacks against resource availability (e.g., various local Denial of Service attacks).
|
Note: Systems processing sensitive Institutional data should be prioritized and patched first considering the impact from a breach or a compromise is higher as compared to other non-sensitive data processing systems. For more information, please see our Data Classification document. In some cases, compliance requirements like PCI or HIPAA might dictate shorter timeframes which will be conveyed to appropriate System Administrators.
Can't meet the remediation timeline? Contact the Information Security Office to discuss alternatives to ensure the systems are safe and secure.
GETTING STARTED
Need to perform a vulnerability scan? Please contact us at informationsecurity@drexel.edu.