Technical Vulnerability Management
Standard and Process
While using the University network, technical vulnerabilities must be remediated. This includes technical vulnerabilities related to security configuration of devices, and security updates for the operating system and all software applications. Take steps as directed to remediate the technical vulnerabilities identified on the IT resources you provide IT support for following the security categorization level of the device.
Remediation may include one or more of the following:
- patching or upgrading vulnerable software (plan should include testing the patch/upgrade)
- replacing the vulnerable software with a different product
- consolidating or moving to a more controlled environment
- changing the system configuration:
- disabling or turning off the vulnerable service
- disabling a specific vulnerable feature or capability within the service
- setting, changing or using a more complex password
- limiting access using a firewall or filter
- increase monitoring to detect anomalies
- raising awareness of the vulnerability with your users
Depending on the urgency with which the technical vulnerability needs to be addressed, the actions taken should be carried out according to the controls related to change management, or by following general University information security incident response procedures (e.g., isolate computer) and/or other escalation processes.
For a high risk technical vulnerability with wide-spread impact to the University (either being actively exploited or having the imminent potential to be exploited), University Information Security works with University IT management to assess and factor the on-going risk to operations, options to mitigate the risk (i.e., patching vulnerable systems, disabling/turning off a service, implementing a border filter) and to establish expected remediation timelines. The University Director of University Information Security and the Vice President for Information Technology will make the final decision regarding course of action and determine the appropriate communication channels.
IT Professionals and others who perform IT administrative functions on University IT resources responsibilities include:
- Remediation of technical vulnerabilities following the controls established for the security categorization level of the device
- Managing the vulnerability management program for their area
- Assessing and communicating to your management the risk of the vulnerability being exploited and the remediation plan to address the risk
- Monitoring security and vendor communications for technical vulnerabilities, as well as internal University computer security communications
- This standard is based on the principles of ISO/IEC 27002:2005.
- University Vulnerability Management Program uses Qualys. Qualys is on the list of PCI-DSS approved external scan vendors.
- Tools to check for operating system and software/application updates:
- Flexera Personal Software Inspector (PSI)- for Microsoft Windows
- Technical Vulnerability sources to monitor:
Document Owner: University Information Security
Document Approver: Brian Dahlin, University Information Security; Patton Fast, University Enterprise Architect
Effective Date: August 2010
Last Reviewed Date: November 2014