Printed on: 08/20/2019. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
University of Minnisota  Appendix

Technical Vulnerability Management Standard

Appendix to Policy

Objective

Technical vulnerabilities in information technology configurations and software (including but not limited to operating system, applications, and firmware) must be remediated when identified. IT Resources are expected to be running current supported, patched, and maintained software.

Inadequate system security controls on any system or device are a threat to the University IT infrastructure. For IT resources that do not comply with remediation of high severity or zero-day (including actively exploited) vulnerabilities, access to the University network may be limited or disconnected.

Security Controls

Vulnerability Management

The following table defines the baseline security controls for vulnerability management.

ControlSecurity Level
ID Description High Medium Low
TVM.A.01 Monitor security industry, vendor, and internal University computer security communications for technical vulnerability announcements Required Required Recommended
TVM.A.02 Use a University Information Security approved scan tool to assess technical vulnerabilities related to the configuration, operating system, and software1 Required Required Recommended
TVM.A.03 Periodically review and follow a vulnerability management procedure (suggest: annual) Required
Effective July 2019
Required
Effective July 2019
Recommended
TVM.A.04 Follow a documented plan for immediate response to an active or expected exploit, include remediation steps Required
Effective July 2019
Required
Effective July 2019
Recommended

1 Excludes single-user systems, workstations, unless required for legal, regulatory, or contractual compliance.

  • Required by PCI DSS on all systems that store, process or transmit cardholder data, or support the credit card processing environment.
  • Required for all systems in scope for health information, HIPAA or ePHI.

Internal Scans

The following table defines the baseline security controls for identifying and managing technical vulnerabilities detected on an internal vulnerability scan.

ControlSecurity Level
ID Description High Medium Low
TVM.B.01 Run authenticated technical vulnerability scans/agents 1 Required - Weekly
Effective July 2019
Required - Monthly
Effective July 2019
Optional
TVM.B.02 If the system is unable to run authenticated scans, document the reason and run internal unauthenticated technical vulnerability scans Required - Weekly Required -Monthly Recommended - Monthly
TVM.B.03 Remediate high severity vulnerabilities detected, or if unable to remediate within 30 calendar days of detection, document and implement a mitigation plan, and inform University Information Security of the plan2 Required Required Required
TVM.B.04 Evaluate and prioritize remediation of medium and low severity vulnerabilities detected 3 Required Recommended Recommended
TVM.B.05 Document scan results in a quarterly management report Required Recommended Optional

1 PCI DSS does not require authenticated scans.

2 In cases where University Information Security issues a specific alert for a high severity vulnerability, requirements within the alert supersede those listed above.

3 PCI DSS requires remediation of medium and low severity vulnerabilities.

External Scans for Systems In-Scope for PCI DSS

The following table defines the baseline security controls for identifying and managing technical vulnerabilities detected by external scans for systems in scope for PCI DSS.

ControlSecurity Level
ID Description High Medium Low
TVM.C.01 Run technical vulnerability scans using the University contracted PCI DSS approved scan vendor at least quarterly Required Required Required
TVM.C.02 Review scan results within 2 business days Required Required Required
TVM.C.03 Remediate high severity vulnerabilities and vulnerabilities marked for PCI DSS compliance with a FAILED status Required Required Required
TVM.C.04 Document a mitigation plan within 5 business days of detection, if unable to remediate and re-scan by the end of the month for high severity vulnerabilities or vulnerabilities marked for PCI DSS compliance with a FAILED status Required Required Required
TVM.C.05 Review of mitigation plan by University Information Security and University Payment Card Compliance Officer Required Required Required
TVM.C.06 Obtain PCI DSS approved scan vendor quarterly attestation for vulnerability scan results Required  Required Required
TVM.C.07 Remediate medium severity vulnerabilities detected Required Required Required
TVM.C.08 Remediate low severity vulnerabilities detected Required Required Required

Resources Covered

This applies to IT resources owned or contracted by the University.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019

Document Feedback

Information Technology