Technical Vulnerability Management--IT Professionals Standard

Document Owner: Barb Montgomery, University Information Security

Document Approver: Brian Dahlin, University Information Security and Patton Fast, University Enterprise Architect

Effective Date: August 2010

Last Reviewed Date: March 2013

Objective

Technical vulnerabilities in information technology, including but not limited to software and applications, must be remediated when identified. Inadequate system security controls are a threat to the University network and not solely to any one device.

Scope

Individuals Covered

This applies to IT Professionals as well as University community members who administer any component of the University's IT resources. For University community members who use and do not administer or provide support for any component of the University’s IT resources, see the Technical Vulnerability Management--University Community Member standard.

Resources Covered

This applies to University IT resources owned, leased, operated or provided by the University or otherwise connected to University resources. This includes, but is not limited to, electronic devices and communications facilities, such as, networking, mobile, cell phone, and wireless devices, personal computers, workstations, servers, printers, copiers, fax machines, thumb drives, removable media, any other associated peripherals and operating systems/software/applications (free or contracted by the University).

Also applies to personally owned devices used to access, process or transmit private University data or that are otherwise connected to University IT resources.

Compliance

University units (e.g., campuses, departments, colleges, centers and programs) and individual University community members must follow this standard. Each unit is responsible for security on its systems and may apply more stringent security requirements than those detailed here, provided they do not conflict with or lower requirements established by the Information Security Framework, University policies, applicable laws, or contractual agreements.

Non-compliance with this standard must be reported to University Information Security (abuse@umn.edu). Individual University community members who do not comply with this standard may temporarily be denied access to University computing resources and may be subject to other penalties and disciplinary action including University discipline up to and including termination.

A non-compliant device may be disconnected from the University data network and collegiate/departmental infrastructure until the device is brought into compliance.

Standard and Process

While using the University network, technical vulnerabilities must be remediated. This includes technical vulnerabilities related to security configuration of devices, and security updates for the operating system and all software applications. Take steps as directed to remediate the technical vulnerabilities identified on the IT resources you provide IT support for following the security categorization level of the device.

Remediation may include one or more of the following:

Depending on the urgency with which the technical vulnerability needs to be addressed, the actions taken should be carried out according to the controls related to change management, or by following general University information security incident response procedures (e.g., isolate computer) and/or other escalation processes.

For a high risk technical vulnerability with wide-spread impact to the University (either being actively exploited or having the imminent potential to be exploited), University Information Security works with University IT management to assess and factor the on-going risk to operations, options to mitigate the risk (i.e., patching vulnerable systems, disabling/turning off a service, implementing a border filter) and to establish expected remediation timelines. The University Director of University Information Security and the Vice President for Information Technology will make the final decision regarding course of action and determine the appropriate communication channels.

IT Professionals and others who perform IT administrative functions on University IT resources responsibilities include:

Security Categorization Levels

The University has three security categorization levels- High, Medium and Low. Based on the security categorization level, at minimum, follow the requirements for that level.

Multi-User systems (e.g., server, print server)

  Remediate Technical Vulnerabilities    
Security Category High Risk Vulnerabilities Medium Risk Vulnerabilities Low Risk Vulnerabilities U of M Vulnerability Management Program Monitor communication channels
HIGH Required Required Required Required Required
MEDIUM Required Required Recommended Required Required
LOW Required Recommended Recommended Recommended Recommended

Key

HIGH

See the Resources and Tools section for tools that will meet the requirements described here.

Monitor security and vendor communications for technical vulnerabilities, as well as internal University computer security communications.

When notified of a technical vulnerability that must be remediated, take steps to remediate it within the time frame specified.

Vulnerability Management Program

Servers and other designated devices are required to use the University provided internal network based scan tool to assess for technical vulnerabilities related to the configuration, operating system, and software applications running on the system. University  Information Security reports quarterly to the CIO and senior IT management on the high risk vulnerability management using the results from the internal network based scan tool.

The Payment Card Industry-Data Security Standard (PCI-DSS) has an explicit requirement that devices involved in credit card processing or on the same subnet as a credit card processing device must complete a quarterly external network based vulnerability scan using an approved scan vendor, in addition to the quarterly internal network based vulnerability scan. The University has a contract with an approved scan vendor. High risk vulnerabilities as defined by the PCI organization must be remediated immediately. Submit requests for false positive review from external vulnerability scans to University Information Security, who will request that the approved scan vendor review and determine if the request is accepted. University Information Security works with the University Controller’s office on the PCI-DSS reporting requirements for the internal and external vulnerability scans.

MEDIUM

See the Resources and Tools section for tools that will meet the requirements described here.

Monitor security and vendor communications for technical vulnerabilities, as well as internal University computer security communications.

When notified of a technical vulnerability that must be remediated, take steps to remediate it within the time frame specified.

Vulnerability Management Program

Servers and other designated devices are required to use the University provided internal network based scan tool to assess for technical vulnerabilities related to the configuration, operating system, and software applications running on the system. University Information Security reports quarterly to the CIO and senior IT management on the high risk vulnerability management using the results from the internal network based scan tool.

LOW

See the Resources and Tools section for tools that will meet the requirements described here.

Monitor security and vendor communications for technical vulnerabilities, as well as internal University computer security communications is recommended.

When notified of a technical vulnerability that must be remediated, take steps to remediate it within the time frame specified.

Vulnerability Management Program

For servers and other multi-user systems on the University network, use of a network based scan tool to assess for technical vulnerabilities related to the configuration, operating system and software applications running on the system is recommended. This should be used after initial system installation and after major system reconfigurations. High risk vulnerabilities should be evaluated and a remediation plan should be developed, using the risk to the system and to others on the University network to determine the time frame to remediate.

Resources and Tools

More Information

Requirements of Vulnerability Management Program by Security Category

Internal Scans

  Scans Remediation Plan for high risk vulnerabilities Reporting
Security Category Interval Review results within Document the plan Due within* Review by OITSEC Quartly Management
HIGH Weekly 2 business days Required 20 business days Required Required
MEDIUM Monthly 4 business days Required 20 business days Recommended Required
LOW On demand Recommended      

*Need remediation plan if unable to mitigate the risk & rescan by the end of the calendar month.

External Scans for Devices that Must Meet PCI-RSS

  Scans Remediation Plan for high risk vulnerabilities Reporting
Security Category Interval Review results within Document the plan Due within* Review by OITSEC Quartly Attestation for Bank Quartly Management
HIGH Monthly 2 business days Required 5 business days Required Required Required
Medium ALL PCI-DSS designated devices MUST use Security Category HIGH. See above.
Low ALL PCI-DSS designated devices MUST use Security Category HIGH. See above.

*Need remediation plan if unable to mitigate the risk & rescan by the end of the calendar month.