GDL-3000.07E: System Vulnerability Management Guidelines
GUIDELINE SUMMARY
Intended Audience: University personnel responsible for managing network-connected systems
Guideline Owner: Director of Information Security
Introduction
The University’s Information Security Office (ISO) runs a vulnerability management program to discover, monitor, and assist in remediation of security vulnerabilities of information technology (IT) assets in the University’s environment. Vulnerabilities can be found in the software, operating system, firmware, and hardware of any network-connected devices.
Vulnerability Assessments
Servers and workstations should be scanned using the functionality in the University’s enterprise endpoint security solution, Microsoft Defender for Endpoint. Other assets should be scanned by the stand-alone vulnerability assessment scanner managed by Information Technology Services (ITS). Vulnerability assessments should be done using credentialed scans or using endpoint clients with access equivalent to a credentialed scan.
Vulnerability assessment tools should categorize vulnerabilities according to the Common Vulnerability Scoring System (CVSS) on a quantitative scale from 0 to 10, and a qualitative scale of None to Critical. The vulnerability severity will determine the patching time frames as detailed in ITS guideline GDL-3000.07D: System Patching Guidelines.
Table 1 – Vulnerability Severity Scales
| Qualitative | Quantitative |
|---|---|
| None | 0.0 |
| Low | 0.1-3.9 |
| Medium | 4.0-6.9 |
| High | 7.0-8.9 |
| Critical | 9.0-10.0 |
Vulnerability assessments should be done quarterly at a minimum. Workstations and servers should be scanned daily via the University’s enterprise endpoint security solution.
Technicians managing servers and workstations are responsible for accessing vulnerability assessments themselves in the University’s enterprise endpoint security solution. The ISO will distribute Vulnerability scan results to System Custodians for other asset types.
Remediation of Vulnerabilities
Defender for Endpoint provides security recommendations for groups of assets. Security recommendations rank suggested actions/changes by impact. Security recommendations should be used to prioritize remediation actions.
Defender for Endpoint provides a dashboard with a security score for all assets within an administrator’s scope. Administrators should keep their score in the Low range by acting on the security recommendations. For non-endpoint system scans, vulnerabilities should be remediated as per ITS guideline GDL-3000.07D: System Patching Guidelines.
For the complete guideline, click “Full Document” tab at top of page.
FULL DOCUMENT
Intended Audience: University personnel responsible for managing network-connected systems
Guideline Owner: Director of Information Security
1. Definitions
|
System Custodian |
An individual responsible for the technical management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They implement the best practices defined by the System Steward and perform operational duties. |
|---|---|
|
System Steward |
An individual responsible for management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They may create and enforce management and access policies. They are often referred to as Business Owners. |
|
Vulnerability |
A point of risk that could result in penetration of a security barrier. Awareness of potential vulnerabilities is key to designing more effective defenses against attack by unauthorized parties (OCIO 141.10). |
|
Vulnerability Assessment |
A comprehensive analysis that attempts to define, identify, and classify the security holes (vulnerabilities) in a system, network, or communications infrastructure (OCIO 141.10). |
2. Introduction
The University’s Information Security Office runs a Vulnerability Management Program to discover, monitor, and assist in remediation of security vulnerabilities of information technology (IT) assets in the University’s environment. Vulnerabilities can be found in the software, operating system, firmware, and hardware of any network-connected devices.
3. Vulnerability Assessments
OCIO 141.10: 1.3, 7.4
Assets should be scanned for vulnerabilities by enterprise tools managed by Information Technology Services (ITS). Servers and workstations should be scanned using the functionality in the University’s enterprise endpoint security solution, Microsoft Defender for Endpoint. Other assets should be scanned by a stand-alone Vulnerability Assessment scanner. Vulnerability Assessments should be done using credentialed scans or using endpoint clients with access equivalent to a credentialed scan.
3.1 Categorizing Vulnerabilities
OCIO 141.10: 5.5(4)
Vulnerability Assessment tools should categorize vulnerabilities according to the Common Vulnerability Scoring System (CVSS) on a quantitative scale from 0 to 10, and a qualitative scale of None to Critical. The Vulnerability severity will determine the patching time frames as detailed in ITS guideline GDL-3000.07D: System Patching Guidelines.
Table 1 – Vulnerability Severity Scales
|
Qualitative |
Quantitative |
|---|---|
|
None |
0.0 |
|
Low |
0.1-3.9 |
|
Medium |
4.0-6.9 |
|
High |
7.0-8.9 |
|
Critical |
9.0-10.0 |
3.2 Frequency
Vulnerability Assessments should be done quarterly at a minimum. Workstations and servers should be scanned daily via the University’s enterprise endpoint security solution.
3.3 Distribution of Scanning Results
System Custodians of workstations and servers are responsible for accessing Vulnerability Assessments themselves in the University’s enterprise endpoint security solution. For other asset types, the Information Security Office will distribute Vulnerability scan results to System Custodians.
4. Remediation of Vulnerabilities
Defender for Endpoint provides security recommendations for groups of assets. Security recommendations rank suggested actions/changes by impact. Security recommendations should be used to prioritize remediation actions.
Defender for Endpoint provides a dashboard with a security score for all assets within an administrator’s scope. Administrators should keep their score in the Low range by acting on the security recommendations. For non-endpoint system scans, vulnerabilities should be remediated as per ITS guideline GDL-3000.07D: System Patching Guidelines.
5. Authority
- University policy POL-U3000.07 - Securing Information Systems
- Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards
6. References
- NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
- OCIO 141.10: Securing Information Technology Assets
- National Vulnerability Database
- Information Technology Services (ITS) guideline GDL-3000.07D: System Patching Guidelines
Change Log
|
Revised |
Version |
Author |
Approver |
Change |
|---|---|---|---|---|
|
07/30/2021 |
1.0 |
Beth Albertson |
ITS Standards & Guidelines Committee |
Original Version |