国产原创

>

Vulnerability Management Standard

Contacts & Dates:

UNIVERSITY STANDARD STATEMENT

This standard establishes the process, severity levels, and remediation schedules for security vulnerabilities.听

REASON FOR STANDARD

Vulnerability Management is a security measure that can help identify system and application flaws that could be exploited. By establishing expectations for addressing these flaws, 国产原创 can proactively address potential compromise paths and can help protect its systems and the data on them.

Note: Vulnerability management is not the same as patch management. The two are related; however, not all patches address security vulnerabilities and not all vulnerabilities are treated with a patch.

The Office of Cybersecurity will review this standard biennially with feedback collected from representatives across VU to understand new concerns and dynamic requirements to best serve the VU community and adhere to VU Information Security Principles listed in the Information Security Policy.

SCOPE AND AUDIENCE

This standard applies to the entire 国产原创 community including, but not limited to, faculty, staff, students, contractors, post-doctoral fellows, temporary employees, and volunteers (collectively called 鈥淰U Community Members鈥). All IT Assets used to collect, transmit, process, store, or host institutional data are in-scope for this policy.

DEFINITIONS

  • All Terms

    Common Vulnerability Scoring System: An open framework for communicating the characteristics and severity of software vulnerabilities in the following metric groups: Base, Temporal, and Environmental.

    Information Technology (IT) Asset: Devices, systems, and applications that enable the organization to achieve university business, academia, and research. IT assets include but are not limited to hardware assets (e.g., servers, laptops, printers, IoT devices, etc.) and software assets (e.g., operating systems, applications, cloud components, etc.).听

    Institutional Data: Consistent with the , institutional data is all data maintained to support delivery of 国产原创鈥檚 central mission of scholarly research, informed and creative teaching, and service to the society at large. For the purposes of this policy, this includes data to support 国产原创鈥檚 auxiliary services as well as research and teaching data.

    IT Asset Owner: An individual or team accountable for overall management and lifecycle of their respective IT assets.听 If applicable, responsible for partnering with IT Asset Stewards for central inventory and lifecycle management functions.听

    IT Asset Steward: An individual or team that is responsible for day-to-day maintenance and support of IT assets and their configurations.听

    Patch: An update that corrects errors in computer software code and may include software feature updates as well as security updates.

    Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.听

    Vulnerability Management: A process to discover, prioritize, and remediate security vulnerabilities.听听

    Vulnerability Severity: The seriousness of a vulnerability related to complexity of the exploit, ability of the vulnerability to spread, and damage that an attack can cause.

STANDARD

A. VUNERABILITY MANAGEMENT PROCESS

The Office of Cybersecurity shall leverage the following Vulnerability Management process:

VM process
Vulnerability Management Process

B. VULNERABILITY SEVERITY LEVELS

The Office of Cybersecurity uses the (CVSS) as outlined by the National Vulnerability Database (NVD) to assess the severity of identified vulnerabilities and to assign remediation effort priority.

Table 1. Vulnerability Severity Levels

Vulnerability LevelCVSSRisk ExposureCharacteristicsSchedule
Vulnerability Level 1(0.1-6.9)Low - ModerateStandard remediation30 calendar days
Minor impact
Unlikely to be exploited
Resulting in limited access
Vulnerability Level 2听(7.0-10)HighPriority remediation15 calendar days
Moderate to Major impact
All vendor vulnerability notifications
Possible to Likely exploitation
Vulnerability Level 3Determined by CybersecurityCriticalEmergency remediation3 calendar days
Major impact
Threat intelligence of imminent threat

IT Asset Owners, or IT Asset Stewards when duties are delegated, are responsible for remediating vulnerabilities on IT Assets under their purview within the schedule outlined in Table 1. Remediation activities may involve patching, changing configuration settings, turning off or uninstalling unneeded services or applications, or moving an asset鈥檚 location either on the network or physically. When remediating, IT Asset Owners and/or Stewards should create rollback procedures and test as appropriate. Automated processes (e.g., automatic patching) are recommended, where technically feasible.

The Office of Cybersecurity has the authority to increase or decrease a vulnerability鈥檚 severity level to account for institutional considerations such as available compensating controls, sensitivity of the data housed on the IT Asset, or criticality of the asset to the VU mission.

IT Asset Owners that cannot adhere to the outlined schedule must seek an exception and must have compensating controls in place to lower the risk of exploitation.

EXCEPTIONS

On a rare occasion, a security policy exception may be considered depending on the impact to the university mission and security risk(s) introduced. Exception requests must be submitted to the VU Chief Information Security Officer for evaluation and risk assessment. The CISO, or a delegate, will grant or deny the request based on the level of risk.听

ENFORCEMENT

Any VU community member that violates this policy may be subject to disciplinary action up to and including termination. The Chief Information Security Officer will refer violations to university units (e.g., Student Accountability Office, Human Resources, and Deans) as appropriate. Violations may also constitute a violation of state or federal law and individuals shall be accountable as applicable.

FORMS AND TOOLS

N/A

FREQUENTLY ASKED QUESTIONS

N/A

RELATED INFORMATION

HISTORY

Review Date
 Summary of Changes
September 2023 No changes
February 2025 Added a review cadence