Standard and Process

See the specific requirements in the Technical Vulnerability Management Standard in the University Policy Library. The following supplements the requirements in University policy.

Technical vulnerabilities must be remediated and managed. This includes technical vulnerabilities related to security configuration of devices and applications, security updates for the operating system and all software applications, and firmware updates for devices. Take steps as directed to remediate the technical vulnerabilities identified on the IT resources you provide IT support for or for which you self-manage following the security level.

Vulnerability management is designed to proactively mitigate or prevent the exploitation of technical vulnerabilities that exist in IT Resources.  The process includes: 

  • proactively scanning or identifying vulnerabilities;
  • investigating identified vulnerabilities;
  • assessing the severity and threat;
  • consulting with and informing appropriate individuals;
  • remediation; and
  • reporting.

Remediation may include one or more of the following:

  • patching or upgrading vulnerable software (the plan should include testing the patch/upgrade);
  • replacing the vulnerable software with a different product;
  • consolidating or moving to a more controlled environment;
  • changing the system configuration: 
    • disabling or turning off the vulnerable service
    • disabling a specific vulnerable feature or capability within the service;
  • the setting, changing or using a more complex password;
  • limiting access using a firewall or filter;
  • increase monitoring to detect anomalies;
  • documenting false positives;
  • informing users and management of the vulnerability.

Depending on the urgency with which the technical vulnerability needs to be addressed, the actions taken should be carried out according to the controls related to change management, or by following general University information security incident response procedures (e.g., isolate computer) and/or other escalation processes.

The following table defines how the vulnerability severity in the Technical Vulnerability Management standard aligns with CVSS version 3.0.

Vulnerability Severity Definition CVSS 3.0
High A vulnerability that is remotely exploitable


Medium A vulnerability that is not remotely exploitable 4.0-6.9
Low A vulnerability that cannot be immediately exploited 0.1-3.9

For a high severity technical vulnerability with wide-spread impact to the University (either being actively exploited or having the imminent potential to be exploited), University Information Security works with University IT management to assess and factor the on-going risk to operations, options to mitigate the risk (i.e., patching vulnerable systems, disabling/turning off a service, implementing a border filter) and to establish expected remediation timelines. The University Information Security Officer and the Vice President for Information Technology will make the final decision regarding the course of action and determine the appropriate communication channels.

Technical staff and others who perform IT administrative functions on University IT resources responsibilities include:

  • remediation of technical vulnerabilities following the controls established for the security categorization level of the IT resource;
  • managing the vulnerability management program for your area;
  • assessing and communicating to your management the risk of the vulnerability being exploited and the remediation plan to address the risk;
  • reporting on vulnerability management for your area;
  • monitoring security and vendor communications for technical vulnerabilities, as well as internal University computer security communications.

See the Information Security policy appendices for additional information security standards that also apply.

More Information

Document Management

Document Responsibility and History
Document Owner Document Approvers Effective Date Last Reviewed Date
University Information Security

Brian Dahlin,
Chief Information Security Officer

Bernard Gulachek,
VP of Information Technology and Chief Information Officer

August 2010 May 2019