Vulnerability Management Policy

Approved by Tracy Schroeder, Vice President of Information Services & Technology, April 9th, 2018

Purpose and Scope

Information Security (InfoSec) is charged with helping to protect the University’s electronic information. To do so, InfoSec conducts regular scans of the entire enterprise looking for misconfigured and/or unsecured electronic devices. InfoSec then works with IS&T, IT Partners, and other units, to verify and remediate discovered vulnerabilities, especially when a new threat has been discovered.

The policy applies to all IS&T managed systems.   All non-IS&T IT organizations at the university are strongly encouraged to adopt this policy as well.

Baseline expectations

Per University Policy Minimum Security Standards systems are expected to be running currently supported operating systems, patched, and maintained regularly.

In compliance with that policy, individuals responsible for systems connected to the University network are expected to allocate or obtain resources to remediate issues identified by the vulnerability scans that are not otherwise being addressed by regular patching.

Program Management

Vulnerability Management is a Service Component of the Server Security Client Service.  The Director of Information Security is the Service Owner and is responsible for the oversight of this program.  The Director shall appoint a Service Component Manager, who also serves as the Vulnerability Manager under this policy.

Technology

Vulnerability management tools evaluate patch levels and apply patches, scan for and fix configuration weaknesses, and identify software vulnerabilities on electronic devices and the software applications running on them. Common vulnerability management tools consist of patch management tools, vulnerability scanners, and reporting and validation tools. Vulnerability scanning tools work by performing authenticated and unauthenticated checks.  Authenticated checks are required as they are significantly more accurate.

Authentication Requirements for Scanning

Scanning technologies work best by performing checks directly on the systems.  A service account with appropriate privileges is needed in order for these tools to work effectively.  The Vulnerability Manager shall supply documentation on how to configure the needed service account.

Process

The Director of Information Security shall charter a Vulnerability Advisory Board (VAB), led by the Vulnerability Manager and consisting of members as detailed in the VAB charter.

The VAB meets regularly to review and evaluate patch and vulnerability scan data, assign priorities to vulnerabilities, and determine what remediation projects will be assigned and executed for the upcoming days/month(s).  Emergency VAB meetings will take place on an as needed basis to deal with urgent threats.

The VAB creates and assigns remediation projects, reports on progress in remediating vulnerabilities, escalates issues and risks relating to non-remediated vulnerabilities, and authorizes Systems Administration to assign patch and reboot schedules on behalf of unresponsive system owners.

Remediation Target Priorities

The following table defines how remediation priorities will be assigned and the target resolution timeframe for vulnerabilities in each priority rank.  The use of “days” versus “business days” in expressing times is significant – not all vulnerabilities can wait until the start of the next business day.

Priority Rank Definition Initial Assignment Target Resolution
R1 Vulnerability that is remotely exploitable with no compensating controls 1 day 2 days
R2 Vulnerability that is remotely exploitable with compensating controls 2 business days 1 week
R3 Vulnerability that is not remotely exploitable 5 business days 30 days
R4 Vulnerability that cannot immediately be exploited. 1 month 90 days

 

It may be necessary to further prioritize hosts within the priority rankings above.  Hosts should be prioritized according to Data Classification with hosts containing Restricted Use data remediated first.  Note that some compliance requirements like PCI might dictate shorter resolution time frames. Once Restricted Use systems are secured the remainder should be remediated according to risk, considering the impact of a breach and the likelihood of compromise.  The use of private network addressing and other compensating controls may be used to prioritize the list.   The VAB may provide additional guidance on a case-by-case basis.

Exemptions from the Scanning Process

Vulnerability management scanning is an essential practice for a secure organization and the goal is to have 100% participation.  If participation creates issues for a system, the system owner or administrator shall work directly with Information Security and/or the VAB to review possible options.  Those options might include disabling a specific vulnerability check that may be causing an issue.  An approach that solves the specific problem will be preferred over a general exemption as more general exemptions may cause critical vulnerabilities to be missed.

Exemptions from vulnerability scanning for an entire system will be granted only after a Risk Acceptance Form has been signed by head of the unit, and submitted to Information Security for approval by Vice President of IS&T or an assigned designee.

Note: Private network and/or departmental or host based firewall rules are generally not considered sufficient compensating controls because these rules are often disabled and/or removed for troubleshooting purposes which would leave these systems open to attack.

Authority

University Policy Minimum Security Standards states, that “systems should be routinely scanned for vulnerabilities and discovered vulnerabilities should be remediated swiftly.” in accordance with the Education Compliance and Remediation Policy, Information Security is authorized to scan Boston University networks for vulnerabilities.

References

Vulnerability Management Service Page

Minimum Security Standards

Education Compliance and Remediation Policy