Administrative Regulation Title: Vulnerability Management
Regulation Number: 7.1.2
_____________________________________________________________________________________
Purpose:
This Vulnerability Management Administrative Regulation (this “Admin Reg”) outlines the framework for identifying, assessing, and remediating vulnerabilities on devices connected to the College’s networks. Vulnerabilities within networks, software applications, and operating systems, whether due to server or software misconfigurations, improper file settings, or outdated software versions, are an ever-present threat. Vulnerability management is a critical component of the College’s information security program and is essential to help reduce the College’s potential financial, reputational, and regulatory risks.
Definitions:
Capitalized terms not defined in this Admin Reg have the meaning set forth in the Information Security Policy.
Scope:
This Admin Reg applies to all College-owned and managed networks (public and private) and all devices that connect to or access those networks, including, but not limited to, computer workstations and servers, network switches and routers, networked printers, scanners, copiers, digital telecommunications, and personally owned devices.
Vulnerability scanning is limited to reviewing IT system and application configuration and does not open or review content found in emails or digital documents.
Roles and Responsibilities:
The Office of Information Technology (“OIT”) works with Personnel who manage Institutional Resources throughout the College to determine appropriate vulnerability scanning and remediation.
The Chief Information Officer (“CIO”) is authorized by the College’s executive officers to take action, as needed, to ensure that unremediated systems or applications do not pose a threat to Institutional Resources. When a critical vulnerability is not remediated within a required timeframe or is improperly remediated, the CIO may temporarily block the system or application from the network until such time as the remediation is effectively completed.
Vulnerability Management Standards:
Vulnerability scanning is a task that identifies software vulnerabilities, missing system patches, and improper configurations. Regular vulnerability scanning along with the timely and consistent application of vendor-supplied security patches or other mitigation of a reported vulnerability are critical components in protecting Institutional Resources from damage or loss and in meeting regulatory and compliance requirements.
Vulnerability assessment provides visibility into the vulnerability of systems and hosted applications deployed on the College’s network. Used effectively, vulnerability management helps to ensure that software, settings, and security configurations are kept up-to-date. Further, systemic weaknesses or deficiencies can be detected by patterns or trends identified in scans of the College’s network.
Vulnerability Scanning:
College systems and applications will be scanned for vulnerabilities periodically and when new vulnerabilities affecting those systems and applications are identified. Vulnerability assessments will be conducted no less than every six months, and penetration testing will be conducted no less than annually.
OIT will determine the required vulnerability scanning for all system components (including potential sources of vulnerabilities such as networked printers, scanners, and copiers) and hosted applications. Vulnerabilities to be scanned will be readily updated as new vulnerabilities are discovered and announced and scanning methods are developed. Vulnerability scanning processes shall ensure that potential vulnerabilities are identified and addressed as quickly as possible.
Vulnerability scanning will include:
- scanning for patch levels;
- scanning for functions, ports, protocols, and services that should not be accessible to users or devices;
- scanning for improperly configured or incorrectly operating information flow control mechanisms; and
- scanning of custom software applications using source code reviews and/or static analysis tools, web-based application scanners, binary analyzers, and/or other analysis approaches, as appropriate.
Vulnerability scanning will be completed by individuals with privileged access authorization to the selected system components and the sensitivity of the information contained therein.
Vulnerability Remediation:
Remediation of discovered vulnerabilities will be prioritized with consideration of the related assessment of risk and the level of effort to be expended in the remediation for specific vulnerabilities.
Vulnerability severity is determined by the rating provided by NIST’s Common Vulnerability Scoring System (“CVSS”) version 3.0 ratings. On the CVSS scale, 7‑8.9 is considered “high” severity and 9‑10 is considered “critical” severity. All validated high and critical vulnerabilities should be remediated as defined in the table 1 below. Vulnerabilities with less severity can be resolved based on availability of staff resources to address them.
AR 7.1.2 Table 1
| Priority Level | Remediation Plan to Be Developed Within | Vulnerability to Be Resolved Within |
|---|---|---|
| Critical (CVSS 9 10) | 2 weeks | 1 month |
| High (CVSS 7-8.9) | 1 month | 3 months |
After a vulnerability is detected, and a fix is available, the timeline for remediation begins. Vulnerabilities that potentially put Confidential (Level 2) or Highly Sensitive (Level 3) data or Mission Critical Systems at risk have the shortest remediation timeframe.
Remediation plans should:
- validate that the vulnerability is properly identified and prioritized;
- provide action-oriented descriptions of the steps that will be taken to mitigate the vulnerability;
- ensure that appropriate resources are or will be available to resolve the vulnerability;
- identify milestones necessary to fully address and resolve the vulnerability; and
- ensure that the schedule for resolving the vulnerability is achievable.
References:
Information Security Policy
Revision History:
Original Adoption Date: 1/29/24
Revision Date(s):
Date Reviewed, no change: