Vulnerability Management Policy
Approved by Tracy Schroeder, Vice President of Information Services & Technology, April 9th, 2018. Last reviewed by the Vulnerability Advisory Board, December 15,2022.
Purpose and Scope
Information Security (InfoSec) is charged with helping to protect the University’s electronic information. To do so, InfoSec conducts regular scans of the entire enterprise looking for misconfigured and/or unsecured electronic devices. InfoSec then works with IS&T, IT Partners, and other units, to verify and remediate discovered vulnerabilities, especially when a new threat has been discovered.
The policy applies to all IS&T managed systems. All non-IS&T IT organizations at the university are strongly encouraged to adopt this policy as well.
Baseline expectations
Per University Policy Minimum Security Standards systems are expected to be running currently supported operating systems, patched, and maintained regularly.
In compliance with that policy, individuals responsible for systems connected to the University network are expected to allocate or obtain resources to remediate issues identified by the vulnerability scans that are not otherwise being addressed by regular patching.
Program Management
Vulnerability Management is a Service Component of the Server Security Services Client Service. The Director of Information Security is the Service Owner and is responsible for the oversight of this program. The Director shall appoint a Service Component Manager, who also serves as the Vulnerability Manager under this policy.
Technology
Vulnerability management tools evaluate patch levels and apply patches, scan for and fix configuration weaknesses, and identify software vulnerabilities on electronic devices and the software applications running on them. Common vulnerability management tools consist of patch management tools, vulnerability scanners, and reporting and validation tools. Vulnerability scanning tools work by performing authenticated and unauthenticated checks. Authenticated checks are required as they are significantly more accurate.
Authentication Requirements for Scanning
Scanning technologies work best by performing checks directly on the systems. A service account or equivalent with appropriate privileges is needed for these tools to work effectively. The Vulnerability Manager shall supply documentation on how to configure the needed privileges.
Process
The Director of Information Security shall charter a Vulnerability Advisory Board (VAB), led by the Vulnerability Manager and consisting of members as detailed in the VAB charter.
The VAB meets regularly to review and evaluate patch and vulnerability scan data, assign priorities to vulnerabilities, and determine what remediation projects will be assigned and executed for the upcoming days/month(s). Emergency VAB meetings will take place on an as needed basis to deal with urgent threats.
The VAB creates and assigns remediation projects, reports on progress in remediating vulnerabilities, escalates issues and risks relating to non-remediated vulnerabilities, and authorizes Systems Administration to assign patch and reboot schedules on behalf of unresponsive system owners.
Remediation Target Priorities
The following table defines how remediation priorities will be assigned and the target resolution timeframe for vulnerabilities in each priority rank. The use of “days” versus “business days” in expressing times is significant – not all vulnerabilities can wait until the start of the next business day.
| Priority Rank | Definition | Initial Assignment | Target Resolution | |||
| P1 | Vulnerability that is remotely exploitable with no compensating controls | 1 day | 2 days | |||
| P2 | Vulnerability that is remotely exploitable with compensating controls | 2 business days | 1 week | |||
| P3 | Vulnerability that is not remotely exploitable | routine patching | 45-60 days | |||
| P4 | Vulnerability that cannot immediately be exploited. | routine patching | 90 days | |||
It may be necessary to further prioritize hosts within the priority rankings above. Hosts should be prioritized according to Data Classification with hosts containing Restricted Use data remediated first. Note that some compliance requirements like PCI might dictate shorter resolution time frames. Once Restricted Use systems are secured the remainder should be remediated according to risk, considering the impact of a breach and the likelihood of compromise. The use of private network addressing, and other compensating controls may be used to prioritize the list. The VAB may provide additional guidance on a case-by-case basis.
Exemptions from the Scanning Process
Vulnerability management scanning is an essential practice for a secure organization and the goal is to have 100% participation. If participation creates issues for a system, the system owner or administrator shall work directly with Information Security and/or the VAB to review possible options. Those options might include disabling a specific vulnerability check that may be causing an issue. An approach that solves the specific problem will be preferred over a general exemption as more general exemptions may cause critical vulnerabilities to be missed.
Exemptions from vulnerability scanning for an entire system will be granted only after a Risk Acceptance Form has been signed by the head of the unit and submitted to Information Security to obtain approval from the Vice President of IS&T or an assigned designee.
Note: Private network and/or departmental or host-based firewall rules are generally not considered sufficient compensating controls because these rules are often disabled and/or removed for troubleshooting purposes which would leave these systems open to attack.
Authority
University Policy Minimum Security Standards states, that “systems should be routinely scanned for vulnerabilities and discovered vulnerabilities should be remediated swiftly.” In accordance with the Cybersecurity Training, Compliance, and Remediation policy, IS&T will conduct routine scans and audits of computing technologies connected to the university network for vulnerabilities which may indicate a lack of compliance with the Minimum Security Standards.