Policy No: 2061 Responsible Office: Office of Information Security Last Review Date: 12/04/2020 Next Required Review: 12/04/2025
Vulnerability Management Policy
This Policy establishes a framework for identifying and promptly remediating vulnerabilities to minimize the risk of security breaches associated with unpatched vulnerabilities. This policy applies to all employee desktops/laptops (where noted), servers and appliances both physical and virtual.
This policy applies to all University General Division departments that deploy, sponsor, manage, or utilize employee desktops, laptops, servers or appliances on the USA campus or in a commercial cloud.
Computer Asset: A device, or other component of the environment that supports information-related activities. Examples are a server, employee desktop, laptop, appliance, or VM.
Asset Inventory List: An inventory of computer assets.
VM: Virtual machine.
The key roles for vulnerability management are as follows:
Assistant Vice President and Director Information Technology Services (AVPDITS) or designate: Responsible for the Computer Services Center’s (CSC) vulnerability management. Approves any risk acceptance and emergency remediation actions. For department servers not managed by CSC, the department head or designate is responsible for vulnerability management.
Office of Information Security: Manages the Vulnerability Management platform. Provides software for periodic vulnerability scanning to identify vulnerabilities, patch releases, and remediation plans.
Administrator (System or Application) or designate: Generally, a University staff member who manages and maintains computer devices for the University and is authorized to have access beyond that of an end user.
Computer System and Software Specialist or designate: Performs remediation of vulnerabilities (patching or compensating control) on servers, applications, operating system, or appliances based on the severity level and time for remediation (see Table 1).
Associate Director of Information Systems, Director of Academic Computing, and Assistant Director of Networking and Telecommunications, Department Head or designate: Determines scheduling of remediation of vulnerabilities, for their respective areas, and delegates corrective action. Report any unresolvable vulnerability to the Director of Information Security.
Director of Information Security (DIS) Role or designate: Tabulates monthly vulnerability results and creates the Vulnerability Report for distribution to directors/managers. Reports any unresolved vulnerabilities to the AVPDITS, department head, or designate. Responsible for the vulnerability management program/policy.
4. Policy Guidelines
The University of South Alabama uses the Common Vulnerability Scoring System (CVSS) for all Common Vulnerabilities and Exposures (CVE) provided by the National Vulnerability Database. A priority is placed on patching or mitigating the vulnerability based on these scores and the logical location of the vulnerability within USA network infrastructure.
Severity is assigned to vulnerabilities by the exposure to the threat and the risk to the IT environment. The scanning software identifies the location of the vulnerability and current activity of the exploited; the vulnerability is assigned one of four ratings. Based on the CVSS score, values from 1 through 3 receive a Low rating, values 4 through 6 receive a Medium rating, values 7 through 9 receive a High severity level, and the value of 10 has a severity level of Critical. See Table 1 below for more information.
|Severity||Description||Time for Remediation|
This rating is given to flaws that could be easily exploited by a remote unauthenticated attacker and lead to system compromise without requiring user interaction. Flaws that require an authenticated remote user, a local user, or an unlikely configuration are not classed as Critical.
|10 business days|
This rating is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources. These are the types of vulnerabilities that allow local users to gain privileges, allow unauthenticated remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service.
|30 business days|
This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources, under certain circumstances. These are the types of vulnerabilities that could have had a Critical impact or Important impact but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
|60 business days|
|Low||This rating is given to all other issues that have a security impact. These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would give minimal consequences.||At the discretion of the department|
University managed computer assets go through a continuous cycle of vulnerability scanning and remediating vulnerabilities in order to mitigate risk to compromise. The procedures associated with the vulnerability management process are as follows:
- Scan mission critical servers, appliances, and VMs for vulnerabilities – Devices are scanned monthly. Each device is scanned against a single baseline vulnerability policy based on the CVSS model (see Policy Guidelines);
- Validate findings from scan and assess the risk severity – Scan results are reviewed and validated. This is done by negating false positives or taking additional steps to verify the results. Note: To greatly increase the accuracy of the scan and decrease the chance of “false positives,” assets should be scanned via an authenticated scan. This can be done with public key exchange, creating an account with administrator privileges (local administrator or Windows domain administrator), or by installing a scan agent for the most accurate security assessment. This allows the scanning engine to collect information based on system configuration. Less than administrator privileges limits the scan to fewer checks and the results will not be as complete. The recommended approach is to install a scan agent as this will be less disruptive to the system and require less maintenance;
- Monthly Vulnerability Management Meeting – Every month at CSC, a Vulnerability Management Meeting will take place to discuss each department/unit Vulnerability Report. All CSC departments/units that manage computer assets will participate in the meeting as well as the Directors of Information Services and Information Security. A separate vulnerability management meeting will be scheduled with USA departmental IT personnel if necessary;
- Remediate Vulnerabilities (patching) – Departments and units will develop procedures/processes to remediate each vulnerability class based on Table 1. Patching can be automated. If a vulnerability cannot be remediated, based on the Table 1 schedule, the director will provide a reason for the delay and a remediation plan at the next scheduled Vulnerability Management Meeting. Critical vulnerabilities with immediate impact are expedited and resolved as soon as possible.
- Non mission critical assets (such as employee desktops and laptops) – Monthly scanning is not required for employee computer assets but auto updating must be enabled or the system administrator will apply patches manually, every month or as needed, as described in Table 1;
- Build and implement vulnerability resolution – Once a patching process/plan is developed, the respective area proceeds with implementation;
- Unsupported O/S – Computer assets running unsupported operating systems must be upgraded, replaced before manufacturer support ends, or removed from the network;
- Post implementation scan to verify resolution – Once the change is implemented; a re-scan for the vulnerability will commence to verify the resolution was successful. If the vulnerability is still present, another solution may be attempted or alternative compensating controls [will be evaluated] and implemented. In the event there is no solution, it becomes a risk that would need to be accepted by the AVPDITS, the department head, or designate or the computer asset is removed from the network.
All departments and units are expected to follow and implement this policy. Failure to do so may result in an unacceptable risk to the University and the computer asset being disconnected from the network.
7. Related Documents