Vulnerability Management Procedure
The purpose of this procedure is to outline the steps in IT vulnerability management adhering to the Vulnerability Management Policy, to ensure that appropriate tools and methodologies are used to assess vulnerabilities in systems or applications, and to provide remediation.
This IT document, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
The following phases must be followed to comply with this procedure:
Vulnerabilities are identified on IT Resources
Discovered vulnerabilities and assets are reviewed, prioritized, and assessed using results from technical and risk reports.
Mitigation efforts are devised
Vulnerabilities are addressed
Successful remediation measures are determined by subsequent analysis
The following tools may be used to assess systems or applications for vulnerabilities1.
- Address confirmed severity levels 5, 4, or 3 findings in Qualys Vulnerability Management Detection and Response (VMDR)
- Address all severity levels findings in Qualys Web Application Scanning (WAS)
- Application and system owners must address content security policy configurations, application header configurations, or certificate configurations (e.g., self-signed, weak encryption) findings.
- If there are conflicting severity levels among the tools, consult Information Security and Assurance (ISA) for guidance to prioritization.
Remediation for the vulnerability findings should be mitigated and validated within the following time-frame from initial discovery (first detected date of vulnerability on respective IT Resources):
- Within 30 Days:
- All BitSight related findings (should have been taken into account during the development process)
- Qualys VMDR confirmed severity levels 5 and 4
- Qualys WAS high and critical levels
- Binary Risk Model finding of high
- Confirmed Qualys VMDR severity levels 5, 4, and 3 on all systems within the PCI network
- Within 60 Days
- Qualys VMDR confirmed severity level 3
- Remaining Qualys WAS medium and low severity levels
- Binary Risk Model finding of medium
- The ISA may identify findings not directly in line with the assessment tools mentioned above and may need to be addressed outside the noted days mentioned above.
System and application owners must do one or more of the following:
- Deploy mitigating control with ISA approval
- Deploy patches
- Remove or discontinue the use of the IT Resource
- Deploy configuration changes
- Deploy the risk management assessment
- System and applications owners must confirm the vulnerability no longer appears within the discovery tool.
- If remediation has taken place, and the change is not reflected in a validation scan or deemed not applicable to the system, the application or system owner is responsible for letting the ISA know via email at email@example.com (e.g., if mitigating controls were implemented, vulnerability is a false positive).
1 Depending on the nature of an OS or application deployed, Information Security and Assurance (ISA) may leverage alternative assessment tools or methodologies to determine vulnerabilities.
IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
A patch is a software update comprised of code inserted (i.e., patched) into an executable program code. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package. Patches include, but are not limited, to the following:
- Upgrading software
- Fixing a software bug
- Installing new drivers
- Addressing security vulnerabilities
- Addressing software stability issues
Remediation is an effort that resolves or mitigates a discovered vulnerability.
Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.
Vulnerability management is the practice of identifying, classifying, remediating, and mitigating vulnerabilities.
Related Policies and Procedures
|Responsible Person:||Senior Director, IT Security Operations and Assurance|
|Approval Date:||March 25, 2019|
|1.2||07/26/2021||Updated statement and removed products no longer in use|