3.67 Vulnerability Management
Purpose
This procedure defines the guidelines for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them.
Vulnerability management refers to the practice of identifying, assessing, prioritizing, and mitigating vulnerabilities in computer systems, networks, and software applications. It involves a systematic approach to proactively address potential security weaknesses that could be exploited by attackers. The goal of vulnerability management is to minimize the risk of security breaches and protect the confidentiality, integrity, and availability of information and resources.
This policy covers the College’s computing, networking, telephony, and Information Technology resources.
Procedure
Periodically, the Office of Information Technology (OIT) Information Security team will run periodic internal and external vulnerability assessment scans. The results of these scans will be addressed based on the risk posed to the College systems. The Information Security Team will use the Common Vulnerability Scoring System (CVSS) to establish patching guidelines.
Service Degradation Or Interruption
Due care will be taken to ensure that Vulnerability scans will not adversely affect a system's or network's performance and operation. However, there may be instances where network and server performance or availability may be affected by the scanning process.
Targeted Scans For Specific Vulnerabilities
The OIT team may periodically perform scans of any College network to find high-risk vulnerabilities that pose an imminent threat. Every effort will be made to notify network/systems owners before such scans are performed. An email notification may be sent to the system owners to advise of the scope and timing of the scan.
Vulnerability Remediation And Mitigation
If a vulnerability scan identifies vulnerabilities or the OIT team learns of new vulnerabilities, the system owner is expected to assess and remediate them. The system owner must evaluate the identified vulnerability’s impact on systems under their responsibility. The system owner is expected to remediate the vulnerability or mitigate the risk of exposure for all verified vulnerabilities. In rare cases where remediation is impossible, the system owner must implement approved and documented compensating controls to reduce risk. When a vulnerability introduces a heightened risk of data exposure, OIT (or designee) may disconnect, disable, or block the device from accessing the College network until remediation or risk mitigation is addressed.
All reporting related to vulnerabilities, remediation, and mitigations must be retained for at least 12 months from the date of the report.
Vulnerability Risk Identification And Ranking
The vulnerability report should list the vulnerabilities and the rankings based on the scanning system/software.
Prioritize Based On Severity
Report recipients are encouraged to work with the information security team to prioritize remediation efforts based on the severity of the vulnerability and the potential impact on the confidentiality, integrity, or availability of the vulnerable systems or their data. Vulnerability severity is determined by the rating provided by the National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS) 3.0.
The highest priority should be given to vulnerabilities rated Critical or High.
Meet Remediation/Mitigation Timeframes
After a vulnerability is detected and a fix is available, the timeline for remediation/risk mitigation begins.
CVSS
|
CORRECTIVE ACTION PLAN
|
REMEDIATION/MITIGATION
|
|
Critical
(CVSS 9 - 10)
|
Within 48 hours
|
Within one week
|
High
(CVSS 7 - 8.9)
|
Within 72 hours
|
Within two weeks
|
|
Medium
(CVSS 4.0 - 6.9)
|
Within seven days
|
Within one month
|
|
Low
(CVSS 0.1 - 3.9)
|
Within one month
|
Based on risk
|
|
|
|
|
|
|
High-Risk Vulnerabilities
In addition to the above patching guidelines, vulnerabilities, and exploitable findings deemed critical by the OIT team, regardless of CVSS score, must be patched as soon as possible.
Exceptions:
Exceptions to this policy will be handled according to the established OIT Security Policies or with the authorization of the CIO of OIT (or designee).
Reference
NVD - Vulnerability Metrics (nist.gov)
Common Vulnerability Scoring Calculator - NIST