VULNERABILITY MANAGEMENT: 9.18

ADMINISTRATIVE PROCEDURES

Title: VULNERABILITY MANAGEMENT

 Identification: 9.18

Effective Date: July 11, 2023

Authority: FS 1001.64; 1001.65

Signature/Approval: Dr. Ken Atwater

PURPOSE

This procedure defines the guidelines for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them.

Vulnerability management refers to the practice of identifying, assessing, prioritizing, and mitigating vulnerabilities in computer systems, networks, and software applications. It involves a systematic approach to proactively address potential security weaknesses that could be exploited by attackers. The goal of vulnerability management is to minimize the risk of security breaches and protect the confidentiality, integrity, and availability of information and resources.

This policy covers the College’s computing, networking, telephony, and Information Technology resources.

PROCEDURE

Periodically, the Office of Information Technology (OIT) Information Security team will run periodic internal and external vulnerability assessment scans. The results of these scans will be addressed based on the risk posed to the College systems. The Information Security Team will use the Common Vulnerability Scoring System (CVSS) to establish patching guidelines.

  1. Service Degradation or Interruption

    Due care will be taken to ensure that Vulnerability scans will not adversely affect a system's or network's performance and operation. However, there may be instances where network and server performance or availability may be affected by the scanning process.

  2. Targeted Scans for Specific Vulnerabilities

    The Information Security team may periodically perform scans of any College network to find high-risk vulnerabilities that pose an imminent threat. Every effort will be made to notify network/systems owners before such scans are performed. An email notification may be sent to the system owners to advise of the scope and timing of the scan.

  3. Vulnerability Remediation and Mitigation

    If a vulnerability scan identifies vulnerabilities or the Information Security team learns of new vulnerabilities, the system owner is expected to assess and remediate them. The system owner must

    evaluate the identified vulnerability’s impact on systems under their responsibility. The system owner is expected to remediate the vulnerability or mitigate the risk of exposure for all verified vulnerabilities. In rare cases where remediation is impossible, the system owner must implement approved and documented compensating controls to reduce risk. When a vulnerability introduces a heightened risk of data exposure, the VP of OIT (or designee) may disconnect, disable, or block the device from accessing the College network until remediation or risk mitigation is addressed.

    All reporting related to vulnerabilities, remediation, and mitigations must be retained for at least 12 months from the date of the report.

  4. Vulnerability Risk Identification and Ranking

    The vulnerability report should list the vulnerabilities and the rankings based on the scanning system/software.

  5. Prioritize Based on Severity

    Report recipients are encouraged to work with the information security team to prioritize remediation efforts based on the severity of the vulnerability and the potential impact on the confidentiality, integrity, or availability of the vulnerable systems or their data. Vulnerability severity is determined by the rating provided by the National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS) 3.0.

    The highest priority should be given to vulnerabilities rated Critical or High.

  6. Meet Remediation/Mitigation Timeframes

    After a vulnerability is detected and a fix is available, the timeline for remediation/risk mitigation begins.

     

    CVSS

    Corrective Action Plan

    Remediation/Mitigation

    Critical (CVSS 9 - 10)

    Within 48 hours

    Within one week

    High (CVSS 7 - 8.9

    Within 72 hours

    Within two weeks

    Medium (CVSS 4.0 - 6.9)

    Within seven days

    Within one month

    Low (CVSS 0.1 - 3.9)

    Within one month

    Based on risk

     

  7. High-Risk Vulnerabilities

    In addition to the above patching guidelines, vulnerabilities, and exploitable findings deemed critical by the Information Security team, regardless of CVSS score, must be patched as soon as possible.

  8. Exceptions:

Exceptions to this policy will be handled according to the established OIT Security Policies or with the authorization of the VP of OIT (or designee).

REFERENCE

NVD - Vulnerability Metrics (nist.gov)

HISTORY

New