Vulnerability Management Standard

Standard Number: 1.11.2.1.2
Category: Information Security
Owner: Information Security Services
Effective: February 2, 2022
Revision History: None
Review Date: February 1, 2025

1. Purpose, Scope, and Responsibilities
   

   1. Pursuant to the Information Security Policy, to identify potential internal and external threats to University Data, the University will conduct Vulnerability scans. The purpose of this Standard is to establish the rules and requirements for how the University will identify, assess, and remediate Vulnerabilities.
   2. This Standard is based on NIST 800-53, Risk Assessment (RA-5) Vulnerability Scanning and provides a framework for performing Vulnerability scans and corrective actions to protect the Campus Network.
   3. This Standard applies to University Technology Resources connected to the Campus Network. It does not apply to content found in email or digital documents.
   4. The Chief Information Officer, supported by the Chief Information Security Officer, is responsible for the implementation and enforcement of this Standard.
   5. Information Security Services (“ISS”) is responsible for administering the network Vulnerability scanning tool (“NetVuln”), the web application scanning tool (“AppScan”) and for keeping both updated with the information and signatures of the latest Vulnerabilities that can be exploited as well as conducting Vulnerability scans pursuant to the requirements identified within this document.
   6. All Information System Owners are responsible for providing the documentation required to facilitate a Vulnerability scan and remediating all unauthenticated external High and/or unauthenticated Critical Vulnerabilities detected within the University Information System(s) they oversee.
   7. Academic IT Leaders are responsible for ensuring the University Technology Resources they oversee are scanned, remediating all High and/or Critical Vulnerabilities identified by unauthenticated scans, and identifying all False Positives.
   8. Pursuant to the University-Owned Device Standard and Secure Server Standard, server and device administrators are responsible for ensuring the devices they manage and keeping the operating systems and software kept up to date.

2. Vulnerability Classification
   

   1. All Vulnerabilities detected by ISS scanning tools are assigned a severity level based on the National Vulnerability Database Common Vulnerability Scoring System (“CVSS”) Base Score Metrics: Critical, High, Medium, Low, or Informational.
      1. Critical. Indicates flaws could be easily exploited by an unauthenticated remote attacker and lead to compromise (CVSS Score 9.0-10.0).
      2. High. Indicates local users can gain privileges, allow unauthenticated, remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service (CVSS Score 7.0-8.9).
      3. Medium. Indicates flaws may be more difficult to exploit but could still lead to compromise under certain circumstances (CVSS score 4.0-6.9).
      4. Low. Indicates Vulnerabilities require unlikely circumstances to be able to be exploited or where a successful exploit would cause either no adverse effect or result in minimal adverse consequences (CVSS score 0.1-3.9).
      5. Informational. Useful information that is more general information about the system and how it operates. Mostly configuration choices rather than a real vulnerability (CVSS score 0).

3. Campus Network Scans
   

   1. The following Vulnerability scans are conducted to detect security weaknesses within the Campus Network:
      1. Weekly Unauthenticated Scans of individual IP addresses and newly created or modified University Technology Resources deployed on the Campus Network;
      2. Authenticated Scans of IP addresses as requested;
      3. Authenticated Scans of vendor-hosted IPs as requested; and,
      4. Monthly Unauthenticated Scan of all public University IPs from outside of the Campus Network (“External”).
   2. Attempts to block scans or access from the network Vulnerability scanner are prohibited.
   3. Pursuant to the Acceptable Use of University Technology Resources and Data Policy, use of tools that are used to assess security or to attack computer systems or networks (e.g., password crackers, Vulnerability scanners, network sniffers) without ISS’ authorization is prohibited.
   4. Campus Network Vulnerabilities must be remediated as follows:
      1. Critical via Unauthenticated Scans must be remediated or mitigated within 90 days of discovery.
      2. High via External, Unauthenticated Scans must be remediated or mitigated within 90 days of discovery.

4. Web Application Scans
   

   1. Authenticated Scans are required for those University Information Systems that are identified as Mission Critical Services as part of an annual risk assessment process.
   2. Information System Owners must complete the required documentation to facilitate a web application scan (e.g., scan checklist, self-assessment questionnaire).
   3. Authenticated Scans of web applications are required for requests to purchase or renew a University Information System that stores Sensitive Data or upon request.
      1. Third-party web application Vulnerability scans may be accepted in lieu of ISS conducting a web application scan, provided the scan has been conducted within the previous twelve (12) months and specifically tested for web application Vulnerabilities (e.g., OWASP Top 10), Authentication mechanisms, and all pages to which a University user would have access.
      2. Vendors must complete the required documentation to facilitate a web application scan (e.g., scan checklist, self-assessment questionnaire).
   4. Remediation of web application Vulnerabilities classified as Critical or High must be approved by ISS prior to purchase or renewal or risk disallowing use of application.
   5. High and Critical Vulnerabilities directly related to missing security patches must be evaluated within 60 days of the patch being released.
   6. Vulnerabilities classified as Informational, Low, or Medium are not required to be remediated; however, Information System Owners must take note of the Vulnerability and make attempts to remediate it as soon as feasible.
   7. Remediation scans will be conducted by ISS to validate remediation of identified High/Critical Vulnerabilities.
   8. If a Vulnerability cannot be remediated, compensating controls must be put in place to mitigate the Vulnerability.
   9. University Technology Resources with identified Critical/High Vulnerabilities that cannot be remediated within 90 days must be approved by Senior Management to accept the risk the Vulnerability presents to the University and continue to connect to the Campus Network.
   10. Such Technology Risks will only be approved for a maximum of one year.
   11. University Technology Resources with Critical/High Vulnerabilities that are not remediated or approved by Senior Management will be blocked from connecting to the Campus Network.

5. Critical Patching

   1. Critical Vulnerabilities also identified as ‘Exploit Available’ within Netvuln are considered Critical Patches.
   2. All Critical Patches must be implemented within 30 days. This includes the time it takes to test the patch.
   3. Critical Patches must be tested on development systems before being rolled out to production, when possible.
   4. Once applied, end user devices may require a reboot to apply updates. Although a deferral period may normally be provided to an end user to accept a system update, if end users do not opt to install a Critical Patch within 10 days, a reboot will be forced.
   5. Critical Patches that cannot be implemented within 30 days must be submitted as a compliance exception indicating the compensating controls that will be implemented. This includes instances when a vendor does not provide a Critical Patch to remediate a Critical and Exploited Vulnerability.
   6. Critical Patches released by a vendor outside of their normal release cycle released to address a previously unknown exploit (“zero day exploit”) must be installed immediately.
   7. In the instance that a Critical Patch addresses a Critical Vulnerability that poses a significant risk to the University, Information Security Services will notify Academic IT Leaders to expedite installation.

6. Vulnerability Procedures

   1. All campus IT directors must have the following Vulnerability management procedures documented:
      1. The steps taken to remediate Vulnerabilities; and,
      2. Written procedures for patch management, including application of Critical Patches, timeframe for patching; approval from vendors for patches within your configuration; approval for deployment; and rollback process.

7. Exceptions

   1. Cloud or third-party vendor application not under direct control of the University and function outside of the Campus Network will not be scanned except on purchase or purchase renewal unless a scan is requested.

8. Definitions

   1. “Authenticated Scan” means a vulnerability scan performed as a logged-in authenticated user.
   2. “Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System.
   3. “False Positives” means incorrectly classification of a benign activity as malicious or vulnerability.
   4. “Mission Critical Services” means a service required to conduct the essential mission-oriented operations of the University, including teaching and learning. Unplanned interruptions in service have an immediate and widespread impact on critical University operations and typically result in a very negative customer experience. Examples include Banner, MAP, Kuali, CS Gold, and eCampus.
   5. “Risk” means the relative impact that an exploited vulnerability would have to a user’s environment.
   6. “Threat Likelihood” means the likelihood or frequency of a harmful event occurring.
   7. “Senior Management” means vice presidents, assistant vice presidents, associate vice president, deans, or directors responsible for reviewing and accepting institutional risks to the University.
   8. “Unauthenticated Scan” means a vulnerability scan performed to identify vulnerabilities that are accessible without logging in as an authorized user.
   9. “Vulnerability Scan” means a technique used to identify weaknesses in an information system, system security procedures, internal controls, or implementation that could be exploited or trigger by a threat source.
   10. “Vulnerability” means a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability.

Related Documents

• Information Security Policy
• Acceptable Use of Data and Technology Resources Policy
• SOP.2.1.003 Web Application Vulnerability Assessment Procedure
• SOP.2.1.002 Network Vulnerability Assessment Procedure