APPENDIX TO POLICY

Technical Vulnerability Management Standard

Objective

Technical vulnerabilities in information technology, including but not limited to software and applications, must be remediated when identified. Inadequate system security controls are a threat to the University network and not solely to any one device.

Security Controls

Multi-user systems (e.g., server, print server) and systems in-scope for PCI-DSS

The following table defines the baseline security controls for identifying and managing technical vulnerabilities for multi-user systems and systems in scope for PCI-DSS. Systems in scope for PCI-DSS must follow the High security level.

Control Security Level
ID Description High Medium Low
TVM.A.01 Monitor security, vendor and internal University computer security communications for technical vulnerabilities Required Required Recommended
TVM.A.02 Use the University provided internal network based scan tool to assess technical vulnerabilities related to the configuration, operating system, and software applications Required Required Recommended
TVM.A.03 Run internal technical vulnerability scans using the University provided tool at least monthly Required Required Recommended
TVM.A.04 Remediate high risk vulnerabilities detected Required Required Required
TVM.A.05 Document a remediation plan within 20 days of detection, if unable to mitigate and re-scan by the end of the month for high risk vulnerabilities Required Required Optional
TVM.A.06 Review of remediation plan by University Information Security Required Recommended Optional
TVM.A.07 Include internal technical vulnerability scan results in quarterly management report Required Required Optional
TVM.A.08 Remediate medium risk vulnerabilities detected Required Required Recommended
TVM.A.09 Remediate low risk vulnerabilities detected Required Recommended Recommended
TVM.A.10 Run internal technical vulnerability scans using the University provided tool at least weekly Required Recommended Optional
TVM.A.11 Review scan results for high risk vulnerabilities within 4 business days Required Required Optional

External technical vulnerability scans for systems in-scope for PCI-DSS

The following table defines the baseline security controls for identifying and managing technical vulnerabilities detected by external scans for systems in scope for PCI-DSS. Systems in scope for PCI-DSS must follow the High security level.

Control Security Level
ID Description High Medium Low
TVM.B.01 Run technical vulnerability scans using the University contracted PCI DSS approved scan vendor at least quarterly Required Not applicable Not applicable
TVM.B.02 Review scan results within 2 business days Required Not applicable Not applicable
TVM.B.03 Remediate high risk vulnerabilities and vulnerabilities marked for PCI-DSS compliance with a FAILED status Required Not applicable Not applicable
TVM.B.04 Document a remediation plan within 5 business days of detection, if unable to mitigate and re-scan by the end of the month for high risk vulnerabilities or vulnerabilities marked for PCI-DSS compliance with a FAILED status Required Not applicable Not applicable
TVM.B.05 Review of remediation plan by University Information Security and University Payment Card Compliance Officer Required Not applicable Not applicable
TVM.B.06 Obtain PCI DSS approved scan vendor quarterly attestation for vulnerability scan results Required Not applicable Not applicable
TVM.B.07 Remediate medium risk vulnerabilities detected Required Not applicable Not applicable
TVM.B.08 Remediate low risk vulnerabilities detected Required Not applicable Not applicable

Resources Covered

This applies to IT resources owned or contracted by the University.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

More information on Technical Vulnerability Management

Published Date

  • November 2014

Document Feedback