Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
Objective
Technical vulnerabilities in information technology configurations and software (including but not limited to operating system, applications, and firmware) must be remediated when identified. IT Resources are expected to be running current supported, patched, and maintained software.
Inadequate system security controls on any system or device are a threat to the University IT infrastructure. For IT resources that do not comply with remediation of high severity or zero-day (including actively exploited) vulnerabilities, access to the University network may be limited or disconnected.
Security Controls
Vulnerability Management
The following table defines the baseline security controls for vulnerability management.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
TVM.A.01 | Monitor security industry, vendor, and internal University computer security communications for technical vulnerability announcements | Required | Required | Recommended |
TVM.A.02 | Use a University Information Security approved scan tool to assess technical vulnerabilities related to the configuration, operating system, and software1 | Required | Required | Recommended |
TVM.A.03 | Periodically review and follow a vulnerability management procedure (suggest: annual) | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
TVM.A.04 | Follow a documented plan for immediate response to an active or expected exploit, include remediation steps | Required Effective July 2019 |
Required Effective July 2019 |
Recommended |
1 Excludes single-user systems, workstations, unless required for legal, regulatory, or contractual compliance.
- Required by PCI DSS on all systems that store, process or transmit cardholder data, or support the credit card processing environment.
- Required for all systems in scope for health information, HIPAA or ePHI.
Internal Scans
The following table defines the baseline security controls for identifying and managing technical vulnerabilities detected on an internal vulnerability scan.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
TVM.B.01 | Run authenticated technical vulnerability scans/agents 1 | Required - Weekly Effective July 2019 |
Required - Monthly Effective July 2019 |
Optional |
TVM.B.02 | If the system is unable to run authenticated scans, document the reason and run internal unauthenticated technical vulnerability scans | Required - Weekly | Required -Monthly | Recommended - Monthly |
TVM.B.03 | Remediate high severity vulnerabilities detected, or if unable to remediate within 30 calendar days of detection, document and implement a mitigation plan, and inform University Information Security of the plan2 | Required | Required | Required |
TVM.B.04 | Evaluate and prioritize remediation of medium and low severity vulnerabilities detected 3 | Required | Recommended | Recommended |
TVM.B.05 | Document scan results in a quarterly management report | Required | Recommended | Optional |
1 PCI DSS does not require authenticated scans.
2 In cases where University Information Security issues a specific alert for a high severity vulnerability, requirements within the alert supersede those listed above.
3 PCI DSS requires remediation of medium and low severity vulnerabilities.
External Scans for Systems In-Scope for PCI DSS
The following table defines the baseline security controls for identifying and managing technical vulnerabilities detected by external scans for systems in scope for PCI DSS.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
TVM.C.01 | Run technical vulnerability scans using the University contracted PCI DSS approved scan vendor at least quarterly | Required | Required | Required |
TVM.C.02 | Review scan results within 2 business days | Required | Required | Required |
TVM.C.03 | Remediate high severity vulnerabilities and vulnerabilities marked for PCI DSS compliance with a FAILED status | Required | Required | Required |
TVM.C.04 | Document a mitigation plan within 5 business days of detection, if unable to remediate and re-scan by the end of the month for high severity vulnerabilities or vulnerabilities marked for PCI DSS compliance with a FAILED status | Required | Required | Required |
TVM.C.05 | Review of mitigation plan by University Information Security and University Payment Card Compliance Officer | Required | Required | Required |
TVM.C.06 | Obtain PCI DSS approved scan vendor quarterly attestation for vulnerability scan results | Required | Required | Required |
TVM.C.07 | Remediate medium severity vulnerabilities detected | Required | Required | Required |
TVM.C.08 | Remediate low severity vulnerabilities detected | Required | Required | Required |
Resources Covered
This applies to IT resources owned or contracted by the University.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Technical Vulnerability Management
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to technical vulnerability management.
Published Date
November 2014
Last Reviewed
April 2019