APPENDIX TO POLICY
Technical Vulnerability Management Standard
Technical vulnerabilities in information technology, including but not limited to software and applications, must be remediated when identified. Inadequate system security controls are a threat to the University network and not solely to any one device.
Multi-user systems (e.g., server, print server) and systems in-scope for PCI-DSS
The following table defines the baseline security controls for identifying and managing technical vulnerabilities for multi-user systems and systems in scope for PCI-DSS. Systems in scope for PCI-DSS must follow the High security level.
|TVM.A.01||Monitor security, vendor and internal University computer security communications for technical vulnerabilities||Required||Required||Recommended|
|TVM.A.02||Use the University provided internal network based scan tool to assess technical vulnerabilities related to the configuration, operating system, and software applications||Required||Required||Recommended|
|TVM.A.03||Run internal technical vulnerability scans using the University provided tool at least monthly||Required||Required||Recommended|
|TVM.A.04||Remediate high risk vulnerabilities detected||Required||Required||Required|
|TVM.A.05||Document a remediation plan within 20 days of detection, if unable to mitigate and re-scan by the end of the month for high risk vulnerabilities||Required||Required||Optional|
|TVM.A.06||Review of remediation plan by University Information Security||Required||Recommended||Optional|
|TVM.A.07||Include internal technical vulnerability scan results in quarterly management report||Required||Required||Optional|
|TVM.A.08||Remediate medium risk vulnerabilities detected||Required||Required||Recommended|
|TVM.A.09||Remediate low risk vulnerabilities detected||Required||Recommended||Recommended|
|TVM.A.10||Run internal technical vulnerability scans using the University provided tool at least weekly||Required||Recommended||Optional|
|TVM.A.11||Review scan results for high risk vulnerabilities within 4 business days||Required||Required||Optional|
External technical vulnerability scans for systems in-scope for PCI-DSS
The following table defines the baseline security controls for identifying and managing technical vulnerabilities detected by external scans for systems in scope for PCI-DSS. Systems in scope for PCI-DSS must follow the High security level.
|TVM.B.01||Run technical vulnerability scans using the University contracted PCI DSS approved scan vendor at least quarterly||Required||Not applicable||Not applicable|
|TVM.B.02||Review scan results within 2 business days||Required||Not applicable||Not applicable|
|TVM.B.03||Remediate high risk vulnerabilities and vulnerabilities marked for PCI-DSS compliance with a FAILED status||Required||Not applicable||Not applicable|
|TVM.B.04||Document a remediation plan within 5 business days of detection, if unable to mitigate and re-scan by the end of the month for high risk vulnerabilities or vulnerabilities marked for PCI-DSS compliance with a FAILED status||Required||Not applicable||Not applicable|
|TVM.B.05||Review of remediation plan by University Information Security and University Payment Card Compliance Officer||Required||Not applicable||Not applicable|
|TVM.B.06||Obtain PCI DSS approved scan vendor quarterly attestation for vulnerability scan results||Required||Not applicable||Not applicable|
|TVM.B.07||Remediate medium risk vulnerabilities detected||Required||Not applicable||Not applicable|
|TVM.B.08||Remediate low risk vulnerabilities detected||Required||Not applicable||Not applicable|
This applies to IT resources owned or contracted by the University.
This applies to University community members who use or manage University IT resources.
More information on Technical Vulnerability Management
- November 2014