UM Vulnerability Management Standard
UM Information Security Office - Area: Risk Management / Compliance
Document History
| Date | Document Version | Revision Description | Author |
|---|---|---|---|
| 4/11/2023 | 1.0 | New Document | Neff, CISO |
| 5/1/2024 | 1.1 | Minor revisions | Neff, CISO |
Approvals
| Approval Date | Approved Version | Approver Role | Approver |
|---|---|---|---|
| 5/1/2024 | 1.1 | CISO | Neff, CISO |
Introduction
As the University becomes more dependent on Information Systems to deliver business objectives strategically, there is an increasing risk of business disruption as a result of attacks on digital assets. The purpose of this standard is to reduce the risk of compromise through a consistent and repeatable Vulnerability Management capability.
This standard applies to the applications, servers, workstations, devices, and infrastructure that provides or supports University services hosted within the UM network, affiliated campus networks, third-party data centers, and cloud service providers.
Roles and Responsibilities
CISO
Owner of this standard and the Vulnerability Management process and the approval of exceptions to scanning and/or remediation requirements.
UM IT Information Security Operations Team (SecOps)
Responsible for detecting, monitoring, and investigating vulnerabilities, working with the service owners and service administrators on risk assessment, providing guidance on remediation, and conducting vulnerability scanning.
Service Owner or Application Owner
Role/person who is the sponsor of the application or service. Can make high-level decisions about ongoing availability, maintenance, and support of the service. They are accountable and responsible for the risk that the system poses to the environment and make final decisions about vulnerability remediation and ensuring an administrator has been identified for the system.
Service Administrator or Application Administrator
Responsible for ensuring the system is running supported software that is patched and maintained. They will be notified when the application is out of date, out of support, or contains high or critical vulnerabilities. They are responsible for ensuring that vulnerabilities are remediated and retested or applying for an exception for the system.
Controls
Overview
Vulnerability Management is made up of the following components:
- Complete and accurate Asset Inventory identifying asset owners and asset administrators for the purpose of making remediation decisions and implementing appropriate controls.
- Common and Approved Asset Classification to determine the asset sensitivity and criticality to determine the appropriate alerting and remediation priority for the asset.
- Initial assessment process for evaluating new services including registration in asset inventory, initial configuration assessment, and vulnerability scans to ensure the system is free from security defects prior to processing production data.
- Continuous scanning process to identify newly discovered vulnerabilities and ensure the system is properly maintained.
- Patch management program and policies to ensure discovered vulnerabilities are addressed in a consistent and timely fashion.
- Remediation Actions that help ensure the appropriate actions have been considered and the path forward determined based on the risk posed by the threat to the asset.
- Risk Register to ensure risks to the University are understood, documented, and prioritized for the purpose of allocating resources efficiently to reduce the Information System security risk to the organization.
Asset Inventory
Build and Maintain an Asset Inventory: An accurate asset inventory is a requirement for a successful vulnerability management program.
- The University network must be scanned once a month for the purpose of discovery using simple network scanning tools that can identify systems and services on the network.
- University systems and services not on the University network must be included in the asset inventory.
- Endpoint devices not on the University network must be included in the asset inventory.
- Discovered University assets must be managed according to the IT Asset Management Standard.
- Vulnerability management requires assets, owners, and administrators to be identified and documented for each system.
- Categorize Assets: Understanding the impact of compromise for an asset is necessary for prioritizing remediation, quantifying risk, and optimizing vulnerability scanning.
- University assets should be categorized based on the Data Classification and criticality to the operation of the University according to the Data Governance Policy.
- The application should also be identified a type to assist in optimizing vulnerability scans based on type (web servers, file servers, database servers, application servers, etc.).
Initial Assessment
Configuration Assessment
A configuration assessment is the process of evaluating common operating systems and applications to identify and eliminate dangerous default configuration options such as default passwords and clear-text authentication protocols.
Departments must establish a secure configuration standard for common applications and operating systems based on industry best practices as detailed by the vendor and the Center for Internet Security (CIS). At a minimum, the configuration must meet Minimum Security Standards.
Vulnerability Scan
A vulnerability scan identifies software flaws or implementation issues in common operating systems and applications and provides a prioritized report of issues.
An initial vulnerability assessment must be conducted on new assets either by the application administrator or SecOps team and a report produced on the risks for the application owner.
High and critical vulnerabilities must be remediated prior to production according to the approved remediation actions.
The initial vulnerability assessment report and remediation efforts should be documented in the Asset Inventory.
Continuous Scanning
Enterprise Vulnerability Scanning
Continuous vulnerability scanning helps to ensure University infrastructure and services are fully supported by vendors and free from severe software flaws.
- Vulnerability scanning will be conducted for all business applications, Information Systems, and network infrastructure on the campus network including:
- Network devices (firewalls, routers, switches, wireless routers, etc.).
- Servers and web applications.
- IoT (podiums, cameras, door access systems, etc.).
- Endpoint devices (workstations, laptops, etc.).
- Vulnerability scanning for services that are hosted outside of the campus network should be conducted by the vendor or allowed through the hosting agreement with the vendor.
Enterprise Vulnerability Scanning Authority
Organization-wide vulnerability scanning must be done by authorized staff of the SecOps team on a continuous basis.
- Automated scans may be conducted as uncredentialled scans.
- Initial or special requests can include specialized credentials for penetration testing and/or secure configuration audits.
Enterprise Vulnerability Scanning Tools
Scanning tools will include those managed by the UM Information Security Office and those in partnership with external entities.
Vulnerability Remediation
Remediation Actions
Remediation actions are the steps taken to eliminate or reduce the threat of vulnerability exploitation.
- Eliminating the threat: Applying patches, removing/disabling unnecessary services, or retiring the vulnerable system from service.
- Reducing the threat: Vendor-provided workarounds, isolating the system or service through network and/or host-based firewalls, or engaging other compensating controls.
- Accepting the risk: In some cases, the vulnerability risk may be evaluated as less than the risk associated with patching or removing the system from service. In this case, the application owner may accept the risk and apply for an exception.
Remediation Timing
Systems that are managed in UM IT and UM Distributed IT will adhere to the UM Information Systems patch management procedures.
Systems that reside outside the data center may develop separate patch management procedures that meet the needs of the department and reduce University risk to an acceptable level.
Remediation timing should follow industry best practices which bases the patching timing with the Common Vulnerability Scoring System (CVSS) score of the vulnerability as follows:
| Severity | CVSS Score | Externally Exposed | Internally Exposed | Cloud Hosted |
|---|---|---|---|---|
| Critical | 9.0-10.0 | 8 days | 14 days | 8 days |
| High | 7.0-8.9 | 8 days | 30 days | 8 days |
| Medium | 4.0-6.9 | 30 days | 30 days | 30 days |
| Low | 0.1-3.9 | 60 days | 90 days | 60 days |
Asset Severity is based on CVSS scores from the NIST National Vulnerability Database (NVD).
Critical vulnerabilities with a CVSS score of 9.0-10.0 can require immediate action and may result in patching outside of regular patching cycles.
When vulnerabilities are not patched within remediation timeframe the Information System may be moved to an untrusted network.
Reporting and Alerting
Report Generation and Distribution
Monthly vulnerability scans produce a master report in addition to a separate database of found vulnerabilities. Service owners and/or administrators can request access to reports about the systems that they are registered in the application inventory as responsible for controlling.
Key performance indicators (KPIs) related to vulnerability patching and reporting will be presented regularly to the CIO to help ensure an accurate picture of organizational risk is understood.
Vulnerability Notifications
Service Owners and Service Administrators should receive an escalation and ticket for critical and high vulnerabilities for the assets that are covered under the monthly scanning program.
Failure to respond to vulnerability alerts will kick off a review of the patching policies for the area in question. The Dean, AVP, or VP responsible for the area will be notified, and the system owner will be warned of the possibility of isolating the system to reduce risk.
Report Retention
Monthly vulnerability scan reports must be retained based on the security requirements of the application and the retention schedule standard of the University.
Risk Register
Information Systems Risk
Vulnerabilities that cannot be remediated should be reported to the SecOps team to ensure they can be added to the risk register for discussion by the Information Security Stewardship Committee.
When vulnerabilities for an area are not patched within 90 days the patch management practices for the department will be added to the risk register.
Vulnerability Risk Rating
The risk rating for an unpatched vulnerability will be calculated based on the asset criticality and the vulnerability severity as follows:
| Campus Risk | Low Vulnerability | Medium Vulnerability | High Vulnerability | Critical Vulnerability |
|---|---|---|---|---|
| Low Asset Criticality | low | low | medium | medium |
| Medium Asset Criticality | low | medium | medium | high |
| High Asset Criticality | low | medium | high | critical |
| Critical Asset Criticality | medium | high | critical | critical |
Procedures
All exception requests must be reviewed, assessed, and approved by the CISO or CIO.
The UM Information Security Advisory Council will review and, if necessary, revise the UM Data Classification and Stewardship Standard annually.
References
- MUS BOR 1300.1
- UM Information Security Policy
- UM Data Governance Policy
- UM IT Incident Response Policy