Approved by Tracy Schroeder, Vice President of Information Services & Technology, April 9th<\/sup>, 2018. Last reviewed by the Vulnerability Advisory Board, December 15,2022.<\/span><\/span>\u00a0<\/span><\/p>\n Information Security (InfoSec) is charged with helping to protect the University\u2019s electronic information. To do so, InfoSec conducts regular scans of the entire enterprise looking for misconfigured and\/or unsecured electronic devices. InfoSec then works with IS&T, IT Partners, and other units, to verify and remediate discovered vulnerabilities, especially when a new threat has been discovered.<\/span>\u00a0<\/span><\/p>\n The policy applies to all IS&T managed systems.\u00a0 All non-IS&T IT organizations at the university are strongly encouraged to adopt this policy as well.<\/span>\u00a0<\/span><\/p>\n Per University Policy <\/span>Minimum Security Standards<\/span><\/a> systems are expected to be running currently supported operating systems, patched, and maintained regularly.\u00a0<\/span>\u00a0<\/span><\/p>\n In compliance with that policy, individuals responsible for systems connected to the University network are expected to allocate or obtain resources to remediate issues identified by the vulnerability scans that are not otherwise being addressed by regular patching.\u00a0<\/span><\/p>\n Vulnerability <\/span>Management is a <\/span>Service Component <\/span>of <\/span>the <\/span>Server Security <\/span>Services <\/span>Client Service<\/span>.\u00a0 The Director <\/span>of Information Security is the S<\/span>ervice <\/span>O<\/span>wner <\/span>and <\/span>is <\/span>responsible for the oversight of this <\/span>program.<\/span>\u00a0 <\/span>The Director <\/span>shall <\/span>appoint a Service Component Manager, who also serves as the Vulnerability Manager under this policy.<\/span><\/span><\/p>\n Vulnerability management tools evaluate patch levels<\/span> and apply patches<\/span>, <\/span>scan for and fix <\/span>configuration weaknesses, and identify software vulnerabilities on electronic devices and the software applications running on them. <\/span>Common vulnerability management tools consist of patch management tools, vulnerability scanners, and reporting and validation tools.<\/span> Vulnerability scanning tools <\/span>work by performing <\/span>authenticated and unauthenticated <\/span>checks.\u00a0 <\/span>Authenticated <\/span>checks are required as they are significantly more accurate.\u00a0<\/span><\/p>\n Scanning <\/span>technologies work best by performing checks<\/span> directly on the systems.\u00a0 A <\/span>service account<\/span> or equivalent<\/span> with <\/span>appropriate <\/span>privileges <\/span>is <\/span>need<\/span>ed<\/span> <\/span>for<\/span> these tools to work effectively.<\/span>\u00a0 The <\/span>Vulnerability <\/span>Manager shall supply documentation on how to configure the needed <\/span>privileges<\/span>.<\/span>\u00a0<\/span><\/span><\/p>\n The Director of Information Security shall charter a Vulnerability Advisory Board (VAB), led by the Vulnerability Manager and consisting of members as detailed in the VAB charter.\u00a0<\/span>\u00a0<\/span><\/p>\n The VAB meets regularly to review and evaluate patch and vulnerability scan data, assign priorities to vulnerabilities, and determine what remediation projects will be assigned and executed for the upcoming days\/month(s).\u00a0 Emergency VAB meetings will take place on an as needed basis to deal with urgent threats.<\/span>\u00a0<\/span><\/p>\n The VAB creates and assigns remediation projects, reports on progress in remediating vulnerabilities, escalates issues and risks relating to non-remediated vulnerabilities, and authorizes Systems Administration to assign patch and reboot schedules on behalf of unresponsive system owners.<\/span>\u00a0<\/span><\/p>\n The following table defines how remediation priorities will be assigned and the target resolution timeframe for vulnerabilities in each priority <\/span>rank<\/span>.\u00a0 The use of \u201cdays\u201d versus \u201cbusiness days\u201d in expressing times is significant \u2013 not all vulnerabilities can wait until the start of the next business day.<\/span><\/span>\u00a0<\/span><\/p>\n<\/a>Purpose and Scope<\/h2>\n
<\/a>Baseline expectations<\/h2>\n
<\/a>Program Management<\/h2>\n
<\/a>Technology<\/h3>\n
Authentication Requirements for Scanning<\/h4>\n
<\/a>Process<\/h3>\n
<\/a>Remediation Target Priorities<\/h3>\n