General Description
Purpose:
This policy provides a consistent outline throughout the organization of the technology and procedures necessary for implementing a comprehensive, and integrated vulnerability management program to discover, assess, prioritize and remediate technical vulnerabilities affecting Trinity University systems, including but not limited to operating systems, applications, databases, web technologies, cloud resources, desktop software, mobile devices, network devices and hardware, to maintain appropriate levels of security.
This policy is complemented with the Trinity University Vulnerability and Patch Management Plan, which contains detailed implementation procedures of policy and controls stated in the current document.
Scope:
This vulnerability management policy applies to all systems, people and processes that constitute Trinity University’s (TU) information systems, including staff, executives, faculty, and third parties with access to TU’s information technology assets and called hereinafter as TU Workforce.
Exceptions:
Policy Content
This plan must detail Trinity's vulnerability and patch management program, including the implementation of mechanisms to timely obtain information about technical vulnerabilities of information systems, the evaluation of the organization’s exposure to such vulnerabilities and the implementation of appropriate safeguards to address the associated risk.
The plan must include supporting activities such as training and reporting metrics for effective implementation of the vulnerability and patch management program.
The plan must include roles and responsibilities of teams/roles for accomplishing all the activities of the vulnerability management program in a timely and effective manner.
ITS must create a system inventory of IT resources in scope for the vulnerability management program to determine which brand, model and version of hardware equipment, operating systems, database, system, web server and software applications are used within the organization.
System inventory must be updated on an annual basis or whenever changes occur to IT resources to ensure that all the IT resources are covered in Trinity’s vulnerability management program.
ITS must establish procedures to obtain copies of the software updates electronically when they are issued by the vendor.
ITS must utilize authorized resources such as system vendor websites, third-party mailing lists and newsgroups, vulnerability management databases, and different tools for tracking the latest vulnerabilities.
The monthly vulnerability scans may be carried out in-house or by an external company or a combination of both. Those vulnerability scans should cover all the internal and external facing assets on the production network.
The annual penetration test must be commissioned as required, using external qualified specialists as part of a carefully planned exercise, The plan must address the scope of the assessment, the methods to use, and the operational requirements, in order to provide the most accurate and relevant information about current vulnerabilities, without affecting the operation of the organization.
ITS must prioritize the order and scheduling in which the organization addresses vulnerability remediation.
The criticality of the systems being updated.
The expected time taken to install the updates (and requirements for service outages to users).
Trinity must evaluate and assign a rating to each vulnerability as critical, high, medium, low, informational, or trivial.
Coordination of the updating of related components of the infrastructure.
Dependencies between updates.
| Vulnerability Risk Rating | Service Levels |
| Critical | Less than 3 days |
| High | Less than 7 days |
| Medium | 90 days |
| Low | 180 days |
All the exceptions to this rule must be approved by authorized personnel, based on the risk acceptance process.
An updated release plan must be created and maintained to keep track of when various systems will be updated, taking into account the factors listed above. The plan must be managed through the change management process.
The database must include vulnerability information, vulnerability analysis for prioritization, and vulnerability remediation plan.
All the remediations must be tested before deploying the changes to Trinity systems. Failed remediations must be further examined for resolution.
All the vulnerabilities and respective remediation information must be informed to all the affected users, including system administrators, system owners, and end users.
Only successfully tested vulnerability remediations must be deployed into production. Vulnerability remediation activities typically include security patch installation, configuration adjustment and/or software removal.
Where security patch installations and configuration changes are recommended to mitigate the vulnerabilities, these must be sent through the organization change management process so that appropriate controls are in place for testing, risks assessment and backout.
ITS must verify systems for vulnerability remediations.
Successful remediation of vulnerabilities must be tested through network and host vulnerability scanning, checking patch logs, penetration tests, and verifying configuration settings.
For cloud services, the responsibilities of the cloud service provider (CSP) and ITS as the cloud service customer, must be defined and agreed upon. This may involve the CSP being responsible for vulnerability assessment and patching for some or all aspects of the service, depending on the cloud service model adopted (e.g. IaaS, PaaS or SaaS or similar service definitions).
ITS must ensure third parties comply with the requirements of our vulnerability management policy. Whenever possible, vulnerability management responsibilities are included in contracts with third parties.
ITS must implement a training program for all participating team members on how to apply vulnerability remediations and best practices for effectively implementing the vulnerability management program, based on their roles in this process.
ITS must consistently measure the effectiveness of its vulnerability and patch management program utilizing ‘vulnerability and patch management metrics’ and apply corrective actions as necessary.
On a monthly basis, these security metrics must be presented to the Information Security Governance Committee.
Performance Evaluation
Consequences of Policy Violation:
Trinity University cooperates with appropriate law enforcement entities if any user may have violated federal or state law. Instances of failure to adhere to this policy will be brought to the attention of the Chief Information Officer (CIO). The CIO may seek consultation/advice from Human Resources.
Terms & Definitions
Terms and Definitions:
|
Term: |
Definition: |
|---|---|
| Application |
|
| Configuration Adjustment | The act of changing an application’s setup. Common configuration adjustments include disabling services, modifying privileges, and changing firewall rules. |
| Host | A computer or IT device (e.g., router, switch, gateway, firewall). Host is synonymous with the less formal definition of system. |
| Operating System | The master control program that runs a computer. |
| Patch | An additional piece of code developed to address a problem in an existing piece of software. |
| Remediation | The act of correcting a vulnerability or eliminating a threat. Three possible types of remediation are installing a patch, adjusting configuration settings, and uninstalling a software application. |
| Remediation Plan | A plan to perform the remediation of one or more threats or vulnerabilities facing an organization’s systems. The plan typically includes options to remove threats and vulnerabilities and priorities for performing the remediation. |
| Risk |
|
| System | A set of IT assets, processes, applications, and related resources that are under the same direct management and budgetary control; have the same function or mission objective; have essentially the same security needs; and reside in the same general operating environment. When not used in this formal sense, the term is synonymous with the term "host". The context surrounding this word should make the definition clear or else should specify which definition is being used. |
| System Administrator | A person who manages the technical aspects of a system. |
| System Owner | Individual with managerial, operational, technical, and often budgetary responsibility for all aspects of an information technology system. |
| Threat | Any circumstance or event, deliberate or unintentional, with the potential for causing harm to a system. |
| Vulnerability | A vulnerability is commonly defined as “an inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.” |
Related Documents
Related Content:
- NIST Special Publication 800-40 Version 2.0, Creating a Patch and Vulnerability Management Program: https://csrc.nist.gov/publications/detail/sp/800-40/version-20/archive/2005-11-16.
- Vulnerability and Patch Management Plan: Link to Vulnerability and Patch Management Plan.
Revision Management
Revision History Log:
|
Revision #: |
Date: |
Recorded By: |
|---|---|---|
| v2.0 | 4/27/2022 11:29 AM | Ben Lim |
| v3 | 1/27/2022 1:18 PM | Dan Carson |
| v2.0 | 8/21/2020 8:02 AM | Holly Warfel |
| v1.0 | 1/14/2020 2:46 PM | Courtney Cunningham |
Vice President Approval:
|
Name: |
Title: |
|---|---|
| Ben Lim | Chief Information Officer |