- Purpose and Scope
- Definitions
- Procedure
- Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources
- References
- Contacts
- History
-
-
Purpose.
The purpose of this Vulnerability Management Procedure is to outline the process for managing Vulnerabilities according to Policy 4-004 and its associated regulations.
-
Scope.
The scope of this procedure is all University administrative units, including colleges, divisions, departments, and centers, and all members of the University community, including students, staff, faculty, other permanent or temporary employees, contractors, research collaborators, vendors, and third-party agents.
This procedure supports Section G, titled IT Resource and Information System Security and Vulnerability Management, of the University of Utah Information Security Policy 4-004 and Rule R4-004G, titled IT Resource and Information System Security and Vulnerability Management.
-
-
The definitions provided in Policy 4-004 apply for this procedure. In addition, the terms below apply for the limited purpose of this procedure.
-
Exploit – A malicious software tool that takes advantage of a Vulnerability or security flaw.
-
Exposure – The extent to which an Asset, stakeholder, or organization is subject to a Risk.
-
Information Security Office (ISO) – The University’s information security department, which reports to the chief information security officer (CISO).
-
Mitigate (or Mitigation) – A decision, action, or practice intended to reduce the level of Risk associated with one or more Threat events, Threat scenarios, or Vulnerabilities.
-
Remediate – The neutralization or elimination of a Vulnerability or the likelihood of its exploitation.
Note: Actions taken as part of Vulnerability management are classified according to two broad classifications: Mitigation and Remediation. While Mitigation procedures reduce the Risk of the Vulnerability being exploited by a Threat actor, Remediation procedures eliminate the Vulnerability from the impacted Asset. University policy specifies timelines for Remediation based on the severity of the Vulnerability and the Exposure of the Asset. Understanding the difference between Mitigation and Remediation is central to understanding this procedure.
-
-
-
All IT managers, IT Technicians, and Users managing Assets shall:
-
maintain a current and accurate inventory of all Assets for which they are responsible;
-
allocate funds for Information Systems to ensure they are supported throughout their life cycle and can be replaced before their end-of-support or end-of-life date;
-
configure all Information Systems according to Security Benchmarks as defined in Procedure P4-004G1 wherever technically feasible;
For more specific implementation requirements, please access Procedure P4-004G1.
-
configure security Controls to allow ISO Vulnerability scanners to scan all Assets on all ports and services;
-
An exclusion to ISO Vulnerability scans requires an exception to policy.
For more specific implementation requirements, please access Procedure P4-004P.
-
-
scan for Vulnerabilities using the ISO-provided Vulnerability scanners, review reports for all Information Systems at least monthly, and document known false positives;
-
establish a process for monitoring known Vulnerabilities of all Information Systems for which they are responsible;
-
analyze and document the Risks and Vulnerabilities present according to Section D;
-
for identified Vulnerabilities, follow the Remediation of Vulnerabilities outlined in Section D;
-
If a Vulnerability cannot be Patched or a Patch is not available (e.g., end- of-support or end-of-life), an exception to policy shall be filed as per Procedure P4-004P within the required time frame for remediation.
For more specific implementation requirements, please access Procedure P4-004P.
-
-
promptly respond to any contact from the ISO regarding vulnerable Information Systems; and
-
maintain processes to prevent Information Systems from being deployed with existing Vulnerabilities.
-
-
IT managers shall ensure that all Vulnerabilities are addressed according to the Remediation timeline in Section D for the units and/or departments for which they are accountable. In the absence of an IT manager, the department head is accountable for meeting this requirement.
-
The ISO shall:
-
maintain enterprise Vulnerability scanning software available for use by all IT managers, IT Technicians, and Users managing Assets;
-
provide periodic reports to executive management regarding the University’s Vulnerability posture;
-
monitor and alert on emerging Threats (e.g., previously unknown critical Vulnerabilities) and assist in quickly managing the response to such Threats and facilitating Risk reduction;
-
provide information to all IT managers, IT Technicians, and Users managing Assets to aid in understanding their Vulnerability Risk; and
-
notify IT managers, IT Technicians, and Users managing Assets of identified Vulnerabilities via approved University communication platforms.
-
If the contacted IT manager, IT Technician, or User does not respond with a Remediation plan within the Exposure Designation table outlined in Section D, the ISO may take the following steps:
-
remove the Asset from the University network with the approval of the CISO;
-
block the Asset from accessing University network space until the Vulnerability has been Remediated as outlined in Section D; and/or
-
email all concerned parties documenting the communication attempts and relevant University policies.
-
-
If, at any time, the ISO determines that the affected Information System remaining on the network represents an unacceptable level of Risk to the University, it may remove the Information System from the University network with the approval of the CISO until the Vulnerability has been Remediated or Mitigated as outlined in Section D.
-
-
-
Remediation of Vulnerabilities
-
The Remediation of Vulnerabilities shall be prioritized according to the following timelines:
Remediation Timeline
Severity
CVSS Baseline
Timeline
Critical:
9.0-10.0
72 hours
High:
7.0-8.9
15 days
Medium:
4.0-6.9
30 days
Low:
0.1-3.9
60 days
None:
0
90 days
-
Perform Remediation and rescan the Information System to validate Remediation was successful.
-
For all Vulnerabilities that cannot be Remediated within the initial Remediation timeline, apply any applicable Mitigating Controls, assign an Exposure designation to the Vulnerability based on Exposure level, and reevaluate the Remediation timeline based on the table below:
Exposure Designation CVSS Severity / Rating
External
Exposure
Limited
Exposure
Internal
Exposure
Isolated
Critical: 9.0 -
10.0
72 hours
15 days
30 days
60 days
High: 7.0 - 8.9
15 days
30 days
60 days
60 days
Medium: 4.0 - 6.9
30 days
60 days
60 days
60 days
Low: 0.1-3.9
60 days
60 days
60 days
60 days
None: 0
90 days
90 days
90 days
90 days
-
External Exposure: The Vulnerability is publicly Exposed to the internet with few to no Mitigating Controls in place. The Vulnerability can be exploited by a Threat actor that is outside the University network.
-
Limited Exposure: The Vulnerability has limited Exposure to public or internal networks with one or more Mitigating Controls in place. The Vulnerability can be exploited only by a Threat actor who has explicit access to the Asset.
-
Internal Exposure: The Vulnerability is Exposed to University internal networks with minimal Mitigating Controls in place. The Vulnerability can be exploited by a Threat actor that is connected to any University internal network.
-
Isolated: The Vulnerability has minimal Exposure with all possible Mitigating Controls in place, the Asset is isolated from other Assets, and the affected Information System only provides the minimum necessary services. The Vulnerability can be exploited only by a Threat actor who has gained access to the isolated environment.
-
-
If the Vulnerability still cannot be Mitigated and subsequently Remediated according to the updated timelines, an exception to policy shall be requested.
For more specific implementation requirements, please access Procedure P4-004P.
Sections IV- VII are for user information about this procedure.
-
-
-
Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources
-
Policies/ Rules.
-
Procedures, Guidelines, and Forms. [ reserved ]
-
Other Related Resources.
-
-
The designated contact officials for this Regulation are:
-
Policy Owner(s) (primary contact person for questions and advice): Chief Information Security Officer
-
Policy Officer(s): Chief Information Officer
See Rule 1-001 for information about the roles and authority of policy owners and policy officers.
-
-
Revision History.
-
Current version. Revision 1.
-
Approved by Chief Information Security Officer with effective date of November 6, 2024.
-
-
Previous versions
-
Renumbering
-
Not applicable
-
-