Vulnerability Management Procedure

Version 1.3

For Students, Faculty, Staff, Guests, Alumni


The purpose of this procedure is to outline the steps in IT vulnerability management adhering to the Vulnerability Management Policy, to ensure that appropriate tools and methodologies are used to assess vulnerabilities in systems or applications, and to provide remediation.


This IT document, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, alumni, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Procedure Steps

The following phases must be followed to comply with this procedure:

Discovery Phase

Vulnerabilities are identified in IT Resources

Prioritization Phase

Discovered vulnerabilities and assets are reviewed, prioritized, and assessed using results from technical and risk reports

Planning Phase

Mitigation efforts are devised

Remediation Phase

Vulnerabilities are addressed

Validation Phase

Successful remediation measures are determined by subsequent analysis

Discovery Phase

The following tools may be used to assess systems or applications for vulnerabilities1:

Prioritization Phase

  • Application and system owners should prioritize system or application vulnerabilities by the following methods:
    • Address confirmed severity levels 5, 4, or 3 findings in Qualys
    • Address all severity levels findings in Netsparker
  • Application and system owners must address content security policy configurations, application header configurations, or certificate configurations (e.g., self-signed, weak encryption) findings
  • If there are conflicting severity levels among the tools, consult the Information Security and Assurance for guidance on prioritization

Planning Phase

Remediation for the vulnerability findings should be mitigated and validated within the following time frame from initial discovery (first detected date of vulnerability on respective IT Resources):

  • Within 30 Days: 
    • All BitSight findings graded as BAD
    • Qualys VMDR confirmed severity levels 5 and 4 
    • Qualys WAS high and critical levels 
    • Confirmed Qualys VMDR severity levels 5, 4, and 3 on all systems within the PCI network 
  • Within 60 Days
    • Qualys confirmed severity level 3
    • Remaining Netsparker medium and low severity levels
  • Information Security and Assurance may identify findings not directly in-line with the assessment tools mentioned above and may need to be addressed outside the noted days mentioned above.

Remediation Phase

System and application owners must do one or more of the following:

  • Deploy mitigating control with Information Security and Assurance approval
  • Deploy patches
  • Upgrade
  • Remove or discontinue the use of the IT Resource
  • Deploy configuration changes

Validation Phase

  • System and applications owners must confirm the vulnerability no longer appears in the discovery tool 
  • If remediation has taken place, and the change is not reflected in a validation scan or deemed not applicable (e.g., if mitigating controls were implemented, vulnerability is a false positive), the application or system owner is responsible for letting the Information Security and Assurance know via email at [email protected]. 

1Depending on the nature of an OS or application deployed, Information Security and Assurance may leverage alternative assessment tools or methodologies to determine vulnerabilities.


IT Resources include computing, networking, communications, application, and telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

A patch is a software update comprised of code inserted (i.e., patched) into the code of an executable program. Typically, a patch is installed into an existing software program. Patches are often temporary fixes between full releases of a software package. Patches include, but are not limited, to the following:

  • Upgrading software
  • Fixing a software bug
  • Installing new drivers
  • Addressing security vulnerabilities
  • Addressing software stability issues

Remediation is an effort that resolves or mitigates a discovered vulnerability.

Vulnerability is a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

Vulnerability management is the practice of identifying, classifying, remediating, and mitigating vulnerabilities.

Related Policies and Procedures

Implementation Information

Review Frequency: Annual
Responsible Person: Senior Director of IT Security and Assurance
Approved By: CISO
Approval Date: March 25, 2019

Revision History

Version: Date: Description:
1.0 01/08/2018 Initial document
1.1 03/25/2019 Procedure updates
  05/08/2020 Periodic review
1.2 07/26/2021 Updated statement and removed products no longer in use 
1.3 08/10/2022 Updated procedure statement

 Need Help?

Walk-In Centers

McShane Center 266 | RH
Leon Lowenstein SL18 | LC

View Our Walk-In Hours