Vulnerability Management Procedure
For Students, Faculty, Staff, Guests, Alumni
The purpose of this procedure is to outline the steps in IT vulnerability management adhering to the Vulnerability Management Policy, to ensure that appropriate tools and methodologies are used to assess vulnerabilities in systems or applications, and to provide remediation.
This IT document, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.
The following phases must be followed to comply with this procedure:
Vulnerabilities are identified in IT Resources
Discovered vulnerabilities and assets are reviewed, prioritized, and assessed using results from technical and risk reports
Mitigation efforts are devised
Vulnerabilities are addressed
Successful remediation measures are determined by subsequent analysis
The following tools may be used to assess systems or applications for vulnerabilities1:
- Application and system owners should prioritize system or application vulnerabilities by the following methods:
- Address confirmed severity levels 5, 4, or 3 findings in Qualys
- Address all severity levels findings in Netsparker
- Application and system owners must address content security policy configurations, application header configurations, or certificate configurations (e.g., self-signed, weak encryption) findings
- If there are conflicting severity levels among the tools, consult the Information Security and Assurance for guidance on prioritization
Remediation for the vulnerability findings should be mitigated and validated within the following time frame from initial discovery (first detected date of vulnerability on respective IT Resources):
- Within 30 Days:
- All BitSight findings graded as BAD
- Qualys VMDR confirmed severity levels 5 and 4
- Qualys WAS high and critical levels
- Confirmed Qualys VMDR severity levels 5, 4, and 3 on all systems within the PCI network
- Within 60 Days
- Qualys confirmed severity level 3
- Remaining Netsparker medium and low severity levels
- Information Security and Assurance may identify findings not directly in-line with the assessment tools mentioned above and may need to be addressed outside the noted days mentioned above.
System and application owners must do one or more of the following:
- Deploy mitigating control with Information Security and Assurance approval
- Deploy patches
- Remove or discontinue the use of the IT Resource
- Deploy configuration changes
- System and applications owners must confirm the vulnerability no longer appears in the discovery tool
- If remediation has taken place, and the change is not reflected in a validation scan or deemed not applicable (e.g., if mitigating controls were implemented, vulnerability is a false positive), the application or system owner is responsible for letting the Information Security and Assurance know via email at firstname.lastname@example.org.
1Depending on the nature of an OS or application deployed, Information Security and Assurance may leverage alternative assessment tools or methodologies to determine vulnerabilities.
IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.
A patch is a software update comprised of code inserted (i.e., patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package. Patches include, but are not limited, to the following:
- Upgrading software
- Fixing a software bug
- Installing new drivers
- Addressing security vulnerabilities
- Addressing software stability issues
Remediation is an effort that resolves or mitigates a discovered vulnerability.
Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
Vulnerability management is the practice of identifying, classifying, remediating, and mitigating vulnerabilities.
Related Policies and Procedures
|Responsible Person:||Senior Director of IT Security and Assurance|
|Approval Date:||March 25, 2019|
|1.2||07/26/2021||Updated statement and removed products no longer in use|
|1.3||08/10/2022||Updated procedure statement|