Procedure P4-004G: Vulnerability Management

Purpose and Scope‌

1. Purpose.

   The purpose of this Vulnerability Management Procedure is to outline the process for managing Vulnerabilities according to Policy 4-004 and its associated regulations.

2. Scope.

   The scope of this procedure is all University administrative units, including colleges, divisions, departments, and centers, and all members of the University community, including students, staff, faculty, other permanent or temporary employees, contractors, research collaborators, vendors, and third-party agents.

   This procedure supports Section G, titled IT Resource and Information System Security and Vulnerability Management, of the University of Utah Information Security Policy 4-004 and Rule R4-004G, titled IT Resource and Information System Security and Vulnerability Management.

‌Definitions‌

The definitions provided in Policy 4-004 apply for this procedure. In addition, the terms below apply for the limited purpose of this procedure.

1. Exploit – A malicious software tool that takes advantage of a Vulnerability or security flaw.

2. Exposure – The extent to which an Asset, stakeholder, or organization is subject to a Risk.

3. Information Security Office (ISO) – The University’s information security department, which reports to the chief information security officer (CISO).

4. Mitigate (or Mitigation) – A decision, action, or practice intended to reduce the level of Risk associated with one or more Threat events, Threat scenarios, or Vulnerabilities.

5. Remediate – The neutralization or elimination of a Vulnerability or the likelihood of its exploitation.

   Note: Actions taken as part of Vulnerability management are classified according to two broad classifications: Mitigation and Remediation. While Mitigation procedures reduce the Risk of the Vulnerability being exploited by a Threat actor, Remediation procedures eliminate the Vulnerability from the impacted Asset. University policy specifies timelines for Remediation based on the severity of the Vulnerability and the Exposure of the Asset. Understanding the difference between Mitigation and Remediation is central to understanding this procedure.

‌Procedure‌

1. All IT managers, IT Technicians, and Users managing Assets shall:

   1. maintain a current and accurate inventory of all Assets for which they are responsible;

   2. allocate funds for Information Systems to ensure they are supported throughout their life cycle and can be replaced before their end-of-support or end-of-life date;

   3. configure all Information Systems according to Security Benchmarks as defined in Procedure P4-004G1 wherever technically feasible;

      For more specific implementation requirements, please access Procedure P4-004G1.

   4. configure security Controls to allow ISO Vulnerability scanners to scan all Assets on all ports and services;

      1. An exclusion to ISO Vulnerability scans requires an exception to policy.

         For more specific implementation requirements, please access Procedure P4-004P.

   5. scan for Vulnerabilities using the ISO-provided Vulnerability scanners, review reports for all Information Systems at least monthly, and document known false positives;

   6. establish a process for monitoring known Vulnerabilities of all Information Systems for which they are responsible;

   7. analyze and document the Risks and Vulnerabilities present according to Section D;

   8. for identified Vulnerabilities, follow the Remediation of Vulnerabilities outlined in Section D;

      1. If a Vulnerability cannot be Patched or a Patch is not available (e.g., end- of-support or end-of-life), an exception to policy shall be filed as per Procedure P4-004P within the required time frame for remediation.

         For more specific implementation requirements, please access Procedure P4-004P.

   9. promptly respond to any contact from the ISO regarding vulnerable Information Systems; and

   10. maintain processes to prevent Information Systems from being deployed with existing Vulnerabilities.

2. IT managers shall ensure that all Vulnerabilities are addressed according to the Remediation timeline in Section D for the units and/or departments for which they are accountable. In the absence of an IT manager, the department head is accountable for meeting this requirement.

3. The ISO shall:

   1. maintain enterprise Vulnerability scanning software available for use by all IT managers, IT Technicians, and Users managing Assets;

   2. provide periodic reports to executive management regarding the University’s Vulnerability posture;

   3. monitor and alert on emerging Threats (e.g., previously unknown critical Vulnerabilities) and assist in quickly managing the response to such Threats and facilitating Risk reduction;

   4. provide information to all IT managers, IT Technicians, and Users managing Assets to aid in understanding their Vulnerability Risk; and

   5. notify IT managers, IT Technicians, and Users managing Assets of identified Vulnerabilities via approved University communication platforms.

      1. If the contacted IT manager, IT Technician, or User does not respond with a Remediation plan within the Exposure Designation table outlined in Section D, the ISO may take the following steps:

         1. remove the Asset from the University network with the approval of the CISO;

         2. block the Asset from accessing University network space until the Vulnerability has been Remediated as outlined in Section D; and/or

         3. email all concerned parties documenting the communication attempts and relevant University policies.

      2. If, at any time, the ISO determines that the affected Information System remaining on the network represents an unacceptable level of Risk to the University, it may remove the Information System from the University network with the approval of the CISO until the Vulnerability has been Remediated or Mitigated as outlined in Section D.

4. Remediation of Vulnerabilities

   1. The Remediation of Vulnerabilities shall be prioritized according to the following timelines:

      	Remediation Timeline
      Severity	CVSS Baseline	Timeline
      Critical:	9.0-10.0	72 hours
      High:	7.0-8.9	15 days
      Medium:	4.0-6.9	30 days
      Low:	0.1-3.9	60 days
      None:	0	90 days

   2. Perform Remediation and rescan the Information System to validate Remediation was successful.

   3. For all Vulnerabilities that cannot be Remediated within the initial Remediation timeline, apply any applicable Mitigating Controls, assign an Exposure designation to the Vulnerability based on Exposure level, and reevaluate the Remediation timeline based on the table below:

      	Exposure Designation
      CVSS Severity / Rating	External Exposure	Limited Exposure	Internal Exposure	Isolated
      Critical: 9.0 - 10.0	72 hours	15 days	30 days	60 days
      High: 7.0 - 8.9	15 days	30 days	60 days	60 days
      Medium: 4.0 - 6.9	30 days	60 days	60 days	60 days
      Low: 0.1-3.9	60 days	60 days	60 days	60 days
      None: 0	90 days	90 days	90 days	90 days

      1. External Exposure: The Vulnerability is publicly Exposed to the internet with few to no Mitigating Controls in place. The Vulnerability can be exploited by a Threat actor that is outside the University network.

      2. Limited Exposure: The Vulnerability has limited Exposure to public or internal networks with one or more Mitigating Controls in place. The Vulnerability can be exploited only by a Threat actor who has explicit access to the Asset.

      3. Internal Exposure: The Vulnerability is Exposed to University internal networks with minimal Mitigating Controls in place. The Vulnerability can be exploited by a Threat actor that is connected to any University internal network.

      4. Isolated: The Vulnerability has minimal Exposure with all possible Mitigating Controls in place, the Asset is isolated from other Assets, and the affected Information System only provides the minimum necessary services. The Vulnerability can be exploited only by a Threat actor who has gained access to the isolated environment.

   4. If the Vulnerability still cannot be Mitigated and subsequently Remediated according to the updated timelines, an exception to policy shall be requested.

      For more specific implementation requirements, please access Procedure P4-004P.

      ---

      Sections IV- VII are for user information about this procedure.

‌Policies/ Rules, Procedures, Guidelines, Forms and other Related Resources‌

1. Policies/ Rules.

   1. Policy 4-004: University Information Security Policy

   2. Rule R4-004G: IT Resource and Information System Security and Vulnerability Management

2. Procedures, Guidelines, and Forms. [ reserved ]

3. Other Related Resources.

‌References‌

1. P4-004G1: Configuration Hardening

2. P4-004P: Exceptions to Policy

‌Contacts‌

The designated contact officials for this Regulation are:

1. Policy Owner(s) (primary contact person for questions and advice): Chief Information Security Officer

2. Policy Officer(s): Chief Information Officer

   See Rule 1-001 for information about the roles and authority of policy owners and policy officers.

‌History‌

Revision History.

1. Current version. Revision 1.

   1. Approved by Chief Information Security Officer with effective date of November 6, 2024.

2. Previous versions

   1. Revision 0.

3. Renumbering

   1. Not applicable