GDL-3000.07E: System Vulnerability Management Guidelines

GUIDELINE SUMMARY

Intended Audience: University personnel responsible for managing network-connected systems
Guideline Owner: Director of Information Security

Introduction

The University’s Information Security Office (ISO) runs a vulnerability management program to discover, monitor, and assist in remediation of security vulnerabilities of information technology (IT) assets in the University’s environment. Vulnerabilities can be found in the software, operating system, firmware, and hardware of any network-connected devices.

Vulnerability Assessments

Servers and workstations should be scanned using the functionality in the University’s enterprise endpoint security solution, Microsoft Defender for Endpoint. Other assets should be scanned by the stand-alone vulnerability assessment scanner managed by Information Technology Services (ITS). Vulnerability assessments should be done using credentialed scans or using endpoint clients with access equivalent to a credentialed scan.

Vulnerability assessment tools should categorize vulnerabilities according to the Common Vulnerability Scoring System (CVSS) on a quantitative scale from 0 to 10, and a qualitative scale of None to Critical. The vulnerability severity will determine the patching time frames as detailed in ITS guideline GDL-3000.07D: System Patching Guidelines.

Table 1 – Vulnerability Severity Scales

Qualitative Quantitative
None 0.0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0

Vulnerability assessments should be done quarterly at a minimum. Workstations and servers should be scanned daily via the University’s enterprise endpoint security solution.

Technicians managing servers and workstations are responsible for accessing vulnerability assessments themselves in the University’s enterprise endpoint security solution. The ISO will distribute Vulnerability scan results to System Custodians for other asset types.

Remediation of Vulnerabilities

Defender for Endpoint provides security recommendations for groups of assets. Security recommendations rank suggested actions/changes by impact. Security recommendations should be used to prioritize remediation actions.

Defender for Endpoint provides a dashboard with a security score for all assets within an administrator’s scope. Administrators should keep their score in the Low range by acting on the security recommendations. For non-endpoint system scans, vulnerabilities should be remediated as per ITS guideline GDL-3000.07D: System Patching Guidelines.


For the complete guideline, click “Full Document” tab at top of page.

FULL DOCUMENT 

Intended Audience: University personnel responsible for managing network-connected systems 
Guideline Owner: Director of Information Security 

1. Definitions 

System Custodian 

An individual responsible for the technical management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They implement the best practices defined by the System Steward and perform operational duties. 

System Steward 

An individual responsible for management of a University-owned system such as a workstation, server, router, switch, printer, controller, or other network-attached device. They may create and enforce management and access policies. They are often referred to as Business Owners. 

Vulnerability 

A point of risk that could result in penetration of a security barrier. Awareness of potential vulnerabilities is key to designing more effective defenses against attack by unauthorized parties (OCIO 141.10). 

Vulnerability Assessment 

A comprehensive analysis that attempts to define, identify, and classify the security holes (vulnerabilities) in a system, network, or communications infrastructure (OCIO 141.10). 

2. Introduction 

The University’s Information Security Office runs a Vulnerability Management Program to discover, monitor, and assist in remediation of security vulnerabilities of information technology (IT) assets in the University’s environment. Vulnerabilities can be found in the software, operating system, firmware, and hardware of any network-connected devices. 

3. Vulnerability Assessments 

OCIO 141.10: 1.3, 7.4 

Assets should be scanned for vulnerabilities by enterprise tools managed by Information Technology Services (ITS). Servers and workstations should be scanned using the functionality in the University’s enterprise endpoint security solution, Microsoft Defender for Endpoint. Other assets should be scanned by a stand-alone Vulnerability Assessment scanner. Vulnerability Assessments should be done using credentialed scans or using endpoint clients with access equivalent to a credentialed scan. 

3.1 Categorizing Vulnerabilities 

OCIO 141.10: 5.5(4) 

Vulnerability Assessment tools should categorize vulnerabilities according to the Common Vulnerability Scoring System (CVSS) on a quantitative scale from 0 to 10, and a qualitative scale of None to Critical. The Vulnerability severity will determine the patching time frames as detailed in ITS guideline GDL-3000.07D: System Patching Guidelines

Table 1 – Vulnerability Severity Scales 

Qualitative 

Quantitative 

None 

0.0 

Low 

0.1-3.9 

Medium 

4.0-6.9 

High 

7.0-8.9 

Critical 

9.0-10.0 

3.2 Frequency 

Vulnerability Assessments should be done quarterly at a minimum. Workstations and servers should be scanned daily via the University’s enterprise endpoint security solution. 

3.3 Distribution of Scanning Results 

System Custodians of workstations and servers are responsible for accessing Vulnerability Assessments themselves in the University’s enterprise endpoint security solution. For other asset types, the Information Security Office will distribute Vulnerability scan results to System Custodians. 

4. Remediation of Vulnerabilities 

Defender for Endpoint provides security recommendations for groups of assets. Security recommendations rank suggested actions/changes by impact. Security recommendations should be used to prioritize remediation actions. 

Defender for Endpoint provides a dashboard with a security score for all assets within an administrator’s scope. Administrators should keep their score in the Low range by acting on the security recommendations. For non-endpoint system scans, vulnerabilities should be remediated as per ITS guideline GDL-3000.07D: System Patching Guidelines

5. Authority 

  1. University policy POL-U3000.07 - Securing Information Systems
  2. Washington State Office of the Chief Information Officer (OCIO) 141.10 – Securing Information Technology Assets Standards 

6. References 

  1. NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations 
  2. OCIO 141.10: Securing Information Technology Assets 
  3. National Vulnerability Database 
  4. Information Technology Services (ITS) guideline GDL-3000.07D: System Patching Guidelines 

Change Log 

Revised 

Version 

Author 

Approver 

Change 

07/30/2021 

1.0 

Beth Albertson 

ITS Standards & Guidelines Committee 

Original Version