Skip to main content

Vulnerability Management Procedure

Version 1.1

Purpose

The purpose of this procedure is to outline the steps in IT vulnerability management adhering to the Vulnerability Management Policy, to ensure that appropriate tools and methodologies are used to assess vulnerabilities in systems or applications, and to provide remediation.

Scope

This IT document, and all policies referenced herein, shall apply to all members of the University community including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Steps

The following phases must be followed to comply with this procedure:

Discovery Phase

Vulnerabilities are identified on IT Resources

Prioritization Phase

Discovered vulnerabilities and assets are reviewed, prioritized, and assessed using results from technical and risk reports

Planning Phase

Mitigation efforts are devised

Remediation Phase

Vulnerabilities are addressed

Validation Phase

Successful remediation measures are determined by subsequent analysis

Discovery Phase

The following tools may be used to assess systems or applications for vulnerabilities[1]:

Prioritization Phase

  • Application and system owners should prioritize system or application vulnerabilities by the following methods:
    • Address confirmed severity levels 5, 4, or 3 findings in Qualys
    • Address all severity levels findings in Netsparker
  • Application and system owners must address content security policy configurations, application header configurations, or certificate configurations (e.g., self-signed, weak encryption) findings
  • If there are conflicting severity levels among the tools, consult the UISO for guidance to prioritization

Planning Phase

Remediation for the vulnerability findings should be mitigated and validated within the following time-frame from initial discovery (first detected date of vulnerability on respective IT Resources):

  • Within 30 Days:
    • All BitSight related findings (should have been taken into account during the development process)
    • Qualys confirmed severity levels 5 and 4
    • Netsparker high and critical levels
    • Binary Risk Model finding of high
    • Confirmed Qualys severity levels 5, 4, and 3 on all systems within the PCI network
  • Within 60 Days
    • Qualys confirmed severity level 3
    • Remaining Netsparker medium and low severity levels
    • Binary Risk Model finding of medium
  • The UISO may identify findings not directly in-line with the assessment tools mentioned above and may need to be addressed outside the noted days mentioned above.

Remediation Phase

System and application owners must do one or more of the following:

  • Deploy mitigating control with UISO approval
  • Deploy patches
  • Upgrade
  • Remove or discontinue the use of the IT Resource
  • Deploy configuration changes

Validation Phase

  • Deploy the risk management assessment
  • System and applications owners must confirm the vulnerability no longer appears within the discovery tool
  • If remediation has taken place, and the change is not reflected in a validation scan or deemed not applicable to the system, the application or system owner is responsible to let the UISO know via email at infosec@fordham.edu (e.g., if mitigating controls were implemented, vulnerability is a false positive).

[1] Depending on the nature of an OS or application deployed, the University Information Security Office (UISO) may leverage alternative assessment tools or methodologies to determine vulnerabilities.

Definitions

IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

A patch is a software update comprised code inserted (i.e., patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package. Patches include, but are not limited, to the following:

  • Upgrading software
  • Fixing a software bug
  • Installing new drivers
  • Addressing security vulnerabilities
  • Addressing software stability issues

Remediation is an effort that resolves or mitigates a discovered vulnerability.

Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system's security policy.

Vulnerability management is the practice of identifying, classifying, remediating, and mitigating vulnerabilities.

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Director, IT Security
Approved By: CISO
Approval Date: March 25, 2019

Revision History

Version: Date: Description:
1.0 01/08/2018 Initial document
1.1 03/25/2019 Procedure updates