Technical Vulnerability Management
Standard and Process
See the specific requirements in the Technical Vulnerability Management Standard in the University Policy library. The following supplements the requirements in University policy.
Technical vulnerabilities must be remediated and managed. This includes technical vulnerabilities related to security configuration of devices and applications, security updates for the operating system and all software applications, and firmware updates for devices. Take steps as directed to remediate the technical vulnerabilities identified on the IT resources you provide IT support for or for which you self-manage following the security level.
Vulnerability management is designed to proactively mitigate or prevent the exploitation of technical vulnerabilities which exist in IT Resources. The process includes:
- proactively scanning or identifying vulnerabilities;
- investigating identified vulnerabilities;
- assessing the severity and threat;
- consulting with and informing appropriate individuals;
- remediation; and
Remediation may include one or more of the following:
- patching or upgrading vulnerable software (plan should include testing the patch/upgrade);
- replacing the vulnerable software with a different product;
- consolidating or moving to a more controlled environment;
- changing the system configuration:
- disabling or turning off the vulnerable service
- disabling a specific vulnerable feature or capability within the service;
- setting, changing or using a more complex password;
- limiting access using a firewall or filter;
- increase monitoring to detect anomalies;
- documenting false positives;
- informing users and management of the vulnerability.
Depending on the urgency with which the technical vulnerability needs to be addressed, the actions taken should be carried out according to the controls related to change management, or by following general University information security incident response procedures (e.g., isolate computer) and/or other escalation processes.
The following table defines how the vulnerability severity in the Technical Vulnerability Management standard aligns with CVSS version 3.0.
|Vulnerability Severity||Definition||CVSS 3.0|
|High||Vulnerability that is remotely exploitable||7.0 - 10|
|Medium||Vulnerability that is not remotely exploitable||4.0 - 6.9|
|Low||Vulnerability that cannot be immediately exploited||0.1 - 3.9|
For a high severity technical vulnerability with wide-spread impact to the University (either being actively exploited or having the imminent potential to be exploited), University Information Security works with University IT management to assess and factor the on-going risk to operations, options to mitigate the risk (i.e., patching vulnerable systems, disabling/turning off a service, implementing a border filter) and to establish expected remediation timelines. The University Information Security Officer and the Vice President for Information Technology will make the final decision regarding course of action and determine the appropriate communication channels.
Technical staff and others who perform IT administrative functions on University IT resources responsibilities include:
- remediation of technical vulnerabilities following the controls established for the security categorization level of the IT resource;
- managing the vulnerability management program for your area;
- assessing and communicating to your management the risk of the vulnerability being exploited and the remediation plan to address the risk;
- reporting on vulnerability management for your area;
- monitoring security and vendor communications for technical vulnerabilities, as well as internal University computer security communications.
See the Information Security policy appendices for additional information security standards that also apply.
- This standard is based on the principles of ISO/IEC 27002:2013.
- University Vulnerability Management Program uses Qualys or Rapid7. Qualys and Rapid7 are on the list of PCI-DSS approved external scan vendors.
- Technology Portfolio
- Technical Vulnerability sources to monitor:
Document Owner: University Information Security
Document Approver: Brian Dahlin, University Information Security; Bernard Gulachek, VP of Information Technology and Chief Information Officer
Effective Date: August 2010
Last Reviewed Date: May 2019