Policies and Procedures Manual 2023-2024

3.67 Vulnerability Management

Purpose
This procedure defines the guidelines for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them.

Vulnerability management refers to the practice of identifying, assessing, prioritizing, and mitigating vulnerabilities in computer systems, networks, and software applications. It involves a systematic approach to proactively address potential security weaknesses that could be exploited by attackers. The goal of vulnerability management is to minimize the risk of security breaches and protect the confidentiality, integrity, and availability of information and resources.

This policy covers the College’s computing, networking, telephony, and Information Technology resources.

Procedure

Periodically, the Office of Information Technology (OIT) Information Security team will run periodic internal and external vulnerability assessment scans. The results of these scans will be addressed based on the risk posed to the College systems. The Information Security Team will use the Common Vulnerability Scoring System (CVSS) to establish patching guidelines.

Service Degradation Or Interruption

Due care will be taken to ensure that Vulnerability scans will not adversely affect a system's or network's performance and operation. However, there may be instances where network and server performance or availability may be affected by the scanning process.

 

Targeted Scans For Specific Vulnerabilities

The OIT team may periodically perform scans of any College network to find high-risk vulnerabilities that pose an imminent threat. Every effort will be made to notify network/systems owners before such scans are performed. An email notification may be sent to the system owners to advise of the scope and timing of the scan.

Vulnerability Remediation And Mitigation

If a vulnerability scan identifies vulnerabilities or the OIT team learns of new vulnerabilities, the system owner is expected to assess and remediate them. The system owner must evaluate the identified vulnerability’s impact on systems under their responsibility. The system owner is expected to remediate the vulnerability or mitigate the risk of exposure for all verified vulnerabilities. In rare cases where remediation is impossible, the system owner must implement approved and documented compensating controls to reduce risk. When a vulnerability introduces a heightened risk of data exposure, OIT (or designee) may disconnect, disable, or block the device from accessing the College network until remediation or risk mitigation is addressed.

All reporting related to vulnerabilities, remediation, and mitigations must be retained for at least 12 months from the date of the report.

Vulnerability Risk Identification And Ranking

The vulnerability report should list the vulnerabilities and the rankings based on the scanning system/software.

Prioritize Based On Severity

Report recipients are encouraged to work with the information security team to prioritize remediation efforts based on the severity of the vulnerability and the potential impact on the confidentiality, integrity, or availability of the vulnerable systems or their data. Vulnerability severity is determined by the rating provided by the National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS) 3.0.

The highest priority should be given to vulnerabilities rated Critical or High.

Meet Remediation/Mitigation Timeframes

After a vulnerability is detected and a fix is available, the timeline for remediation/risk mitigation begins.

CVSS

CORRECTIVE ACTION PLAN

REMEDIATION/MITIGATION

 

Critical

(CVSS 9 - 10)

Within 48 hours

Within one week

High

(CVSS 7 - 8.9)

Within 72 hours

Within two weeks

 

Medium

(CVSS 4.0 - 6.9)

Within seven days

Within one month

 

Low

(CVSS 0.1 - 3.9)

Within one month

Based on risk

 

 

High-Risk Vulnerabilities

In addition to the above patching guidelines, vulnerabilities, and exploitable findings deemed critical by the OIT team, regardless of CVSS score, must be patched as soon as possible.

Exceptions:

Exceptions to this policy will be handled according to the established OIT Security Policies or with the authorization of the CIO of OIT (or designee).

Reference

NVD - Vulnerability Metrics (nist.gov)

Common Vulnerability Scoring Calculator - NIST