Standard Number: 184.108.40.206.2
Category: Information Security
Owner: Information Security Services
Effective: September 24, 2020
Revision History: None
Review Date: September 23, 2023
Purpose, Scope, and Responsibilities
- Pursuant to the Information Security Policy, to identify potential internal and external threats to University Data, the University will conduct Vulnerability scans. The purpose of this Standard is to establish the rules and requirements for how the University will identify, assess, and remediate Vulnerabilities.
- This Standard is based on NIST 800-53, Risk Assessment (RA-5) Vulnerability Scanning and provides a framework for performing Vulnerability scans and corrective actions to protect the Campus Network.
- This Standard applies to University Technology Resources connected to the Campus Network. It does not apply to content found in email or digital documents.
- The Chief Information Security Officer is responsible for the implementation and enforcement of this Standard.
- Information Security Services (“ISS”) is responsible for administering the network Vulnerability scanning tool (“NetVuln”), the web application scanning tool (“AppScan”) and for keeping both updated with the information and signatures of the latest Vulnerabilities that can be exploited as well as conducting Vulnerability scans pursuant to the requirements identified within this document.
- All Information System Owners are responsible for providing the documentation required to facilitate a Vulnerability scan and remediating all unauthenticated external High and/or unauthenticated Critical Vulnerabilities detected within the University Information System(s) they oversee.
- Academic IT Leaders are responsible for ensuring the University Technology Resources they oversee are scanned, remediating all High and/or Critical Vulnerabilities identified by unauthenticated scans, and identifying all False Positives.
All Vulnerabilities detected by ISS scanning tools are assigned a severity level
based on the National Vulnerability Database Common Vulnerability Scoring
System (“CVSS”) Base Score Metrics: Critical, High, Medium, Low, or Informational.
- Critical. Indicates flaws could be easily exploited by an unauthenticated remote attacker and lead to compromise (CVSS Score 9.0-10.0).
- High. Indicates local users can gain privileges, allow unauthenticated, remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service (CVSS Score 7.0-8.9).
- Medium. Indicates flaws may be more difficult to exploit but could still lead to compromise under certain circumstances (CVSS score 4.0-6.9).
- Low. Indicates Vulnerabilities require unlikely circumstances to be able to be exploited or where a successful exploit would cause either no adverse effect or result in minimal adverse consequences (CVSS score 0.1-3.9).
- Informational. Useful information that is more general information about the system and how it operates. Mostly configuration choices rather than a real vulnerability (CVSS score 0).
- All Vulnerabilities detected by ISS scanning tools are assigned a severity level based on the National Vulnerability Database Common Vulnerability Scoring System (“CVSS”) Base Score Metrics: Critical, High, Medium, Low, or Informational.
Campus Network Scans
- The following Vulnerability scans are conducted to detect security weaknesses
within the Campus Network:
- Weekly Unauthenticated Scans of individual IP addresses and newly created or modified University Technology Resources deployed on the Campus Network;
- Authenticated Scans of IP addresses as requested;
- Authenticated Scans of vendor-hosted IPs as requested; and,
- Monthly Unauthenticated Scan of all public University IPs from outside of the Campus Network (“External”).
- Attempts to block scans or access from the network Vulnerability scanner are prohibited.
- Pursuant to the Acceptable Use of University Technology Resources and Data Policy, use of tools that are used to assess security or to attack computer systems or networks (e.g., password crackers, Vulnerability scanners, network sniffers) without ISS’ authorization is prohibited.
- Campus Network Vulnerabilities must be remediated as follows:
- Critical via Unauthenticated Scans must be remediated or mitigated within 90 days of discovery.
- High via External, Unauthenticated Scans must be remediated or mitigated within 90 days of discovery.
- The following Vulnerability scans are conducted to detect security weaknesses within the Campus Network:
Web Application Scans
Authenticated Scans are required for those University Information Systems that are
identified as Mission Critical Services as part of an annual risk assessment
- Information System Owners must complete the required documentation to facilitate a web application scan (e.g., scan checklist, self-assessment questionnaire).
Authenticated Scans of web applications are required for requests to purchase or
renew a University Information System that stores Sensitive Data or upon
- Third-party web application Vulnerability scans may be accepted in lieu of ISS conducting a web application scan, provided the scan has been conducted within the previous twelve (12) months and specifically tested for web application Vulnerabilities (e.g., OWASP Top 10), Authentication mechanisms, and all pages to which a University user would have access.
- Vendors must complete the required documentation to facilitate a web application scan (e.g., scan checklist, self-assessment questionnaire).
- Remediation of web application Vulnerabilities classified as Critical or High must be approved by ISS prior to purchase or renewal or risk disallowing use of application.
- High and Critical Vulnerabilities directly related to missing security patches must be evaluated within 60 days of the patch being released.
- Vulnerabilities classified as Informational, Low, or Medium are not required to be remediated; however, Information System Owners must take note of the Vulnerability and make attempts to remediate it as soon as feasible.
- Remediation scans will be conducted by ISS to validate remediation of identified High/Critical Vulnerabilities.
- If a Vulnerability cannot be remediated, compensating controls must be put in place to mitigate the Vulnerability.
- University Technology Resources with identified Critical/High Vulnerabilities that cannot be remediated within 90 days must be approved by Senior Management to accept the risk the Vulnerability presents to the University and continue to connect to the Campus Network.
- Such Technology Risks will only be approved for a maximum of one year.
- University Technology Resources with Critical/High Vulnerabilities that are not remediated or approved by Senior Management will be blocked from connecting to the Campus Network.
- Authenticated Scans are required for those University Information Systems that are identified as Mission Critical Services as part of an annual risk assessment process.
- All campus IT directors must have the following Vulnerability management procedures
- The steps taken to remediate Vulnerabilities; and,
- Change control procedures for patch management, including timeframe for patching; approval from vendors for patches within your configuration; approval for deployment; and rollback process.
- All campus IT directors must have the following Vulnerability management procedures documented:
- Cloud or third-party vendor application not under direct control of the University and function outside of the Campus Network will not be scanned except on purchase or purchase renewal unless a scan is requested.
- “Authenticated Scan” means a vulnerability scan performed as a logged-in authenticated user.
- “Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System.
- “False Positives” means incorrectly classification of a benign activity as malicious or vulnerability.
- “Mission Critical Services” means a service required to conduct the essential
mission-oriented operations of the University, including teaching and learning.
Unplanned interruptions in service have an immediate and widespread impact
on critical University operations and typically result in a very negative
customer experience. Examples include Banner, MAP, Kuali, CS Gold, and eCampus.
- “Risk” means the relative impact that an exploited vulnerability would have to a user’s environment.
- “Senior Management” means vice presidents, assistant vice presidents, associate vice president, deans, or directors responsible for reviewing and accepting institutional risks to the University.
- “Threat” means the likelihood or frequency of a harmful event occurring.
- “Unauthenticated Scan” means a vulnerability scan performed to identify vulnerabilities that are accessible without logging in as an authorized user.
- “Vulnerability Scan” means a technique used to identify weaknesses in an information system, system security procedures, internal controls, or implementation that could be exploited or trigger by a threat source.
- “Vulnerability” means a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability.