Download this procedure here [PDF].
PURPOSE AND SCOPE
Vulnerability Management program, governed by the Information Security Office, is an initiative to manage Information and Networked Systems vulnerabilities for University Schools and Departments. The goal is to scan for vulnerabilities in the information and networked systems periodically and when new vulnerabilities affecting the system are identified, and ensure all critical and high vulnerabilities are remediated within a reasonable time-frame to avoid any exploitation or disruption of services.
The Information Security Office will collaborate with System Owners and Administrators to perform periodic and on-demand scanning to identify vulnerabilities, missing system patches and improper configurations in University systems and networks. This process will allow us to continuously monitor our IT infrastructure for security gaps and risks associated with them. By identifying and mitigating those gaps we can prevent attackers from penetrating our networks and stealing information.
All system administrators and distributed IT staff groups will be required to review the vulnerability scan results for their managed systems and applying patches in a timely manner. System Administrators will be primarily responsible for patching the vulnerable system, replacing the vulnerable system with a different product, or changing system configuration. In some cases, the Information Security Office will provide limited assistance with migrating system to a more secure environment, limiting access using a firewall and increase monitoring to detect anomalies.
Note: The Information Security Office will not be responsible for patching or configuring the systems.
Per University Policy Security of Information and Networked Systems (IT-4), "All Computing Systems are subject to security scans by IT. The technical and administrative contacts of registered Computing Systems will generally be told of a scan in advance and will be provided with the results of the scans. In the event that it is determined that the Computing Systems are susceptible to high- and medium-security risks, the System Administrator must cure the problem within 5 working days or be expressly excused by the IT. Systems Administrators should routinely monitor system logs to check for anomalies."
ROLES AND RESPONSIBILITIES
Oversight – CISO, Information Security
Vulnerability Management – Information Security Office
Patch and Mitigation Management – System Owner and Administrator
Click HERE to Enlarge Image
System Owner/Administrator is responsible for applying patches based on the criticality of the vulnerabilities and within the following time-frames. In some cases, scan results may yield false positives, patches may not be available or applying fixes may not be possible, then risk mitigation techniques must be considered. System Owners will be responsible for reporting false positives and proposing mitigation techniques, subjected to approval from the Information Security Office.
Critical (10.0*) - 5 days
High (7.0-10.0*) - 10 days
Medium (4.0-6.9*) - 30 days
Low/Informal (0.0-3.9*) - Best effort
*CVSS Base Score
Note: Systems processing sensitive Institutional data should be prioritized and patched first considering the impact from a breach or a compromise is higher as compared to other non-sensitive data processing systems. For more information, please see our Data Classification document. In some cases, compliance requirements like PCI or HIPAA might dictate shorter time frames which will be conveyed to appropriate System Administrators.
Can't meet the remediation timeline? Contact the Information Security Office to discuss alternatives to ensure the systems are safe and secure.
Need to perform a vulnerability scan? Please contact us at email@example.com.
Note: Information Security could also perform penetration tests for more intrusive exploitation of security vulnerabilities at the request of the System Owner.