Home > Forms and Procedures > Policies > General Policies > Vulnerability Managment Policy

Vulnerability Managment Policy

1.0       Purpose

 

This policy establishes the vulnerability management program for Indiana Wesleyan University.  As new vulnerabilities are discovered and potentially exploited by malicious individuals, Indiana Wesleyan University must ensure that its computing resources are remediated against those known vulnerabilities.

 

2.0       Scope

In compliance with Indiana Wesleyan University policies and procedures, this policy shall apply to all University-owned information technology resources including, but not limited to, workstations, laptops, servers, switches, routers, firewalls, network-based printers and copiers, and other network attached resources.

 

3.0       Policy

The following sub-sections detail the requirements and expectations of this policy:

 

3.1       Approved Tools

The information security officer will approve the tools permitted for scanning IWU-owned systems.  Third-party vendors may use the tools of their choosing.  Internet-facing hosts will be scanned by a Payment Card Industry (PCI) approved scanning vendor (ASV) in compliance with the current PCI Data Security Standards (DSS).

 

3.3       Vulnerability Scanning Schedule

IWU will conduct vulnerability scanning on a schedule no less than quarterly. The information security officer will set the schedule with input from teams that may be affected by the scanning and by Change Control, and make the schedule available to the Change Control Group, and the Remediation Team. Special arrangements may be made for ad hoc scans to verify a vulnerability has been successfully remediated, or at the request of the information security officer, Change Control, or the endpoint owners.

 

3.3.1    Existing Hosts

Workstations and Laptops:  A statistical sample will be selected and scanned quarterly.

Servers:  All servers will be scanned monthly.

Infrastructure Equipment:  All infrastructure equipment, such as switches, routers, and firewalls, will be scanned quarterly.

Miscellaneous Hosts:  All other network-attached hosts, such as web cameras and printers, will be scanned quarterly.

 

3.3.2    New Hosts

New servers are to be reported to the Information Security Officer to be included in the monthly vulnerability scan process.  All other hosts, will be identified in a quarterly enumeration of the IWU network.

 

3.3.3    Internet-Facing Hosts

All Internet-facing hosts must be scanned at a minimum quarterly in compliance with the PCI DSS.  The scanning must be conducted by an approved scanning vendor (ASV).

 

3.4       Remediation

3.4.1    Risk Level

Each vulnerability, outside of the normal patch management process, will be assigned a risk level of critical, high, medium, or low.  Remediation of vulnerabilities will adhere to the following schedule:

 

Risk Level

Remediation Schedule

Critical

1 – 3 days

High

Within 1 week

Medium

2 – 3 weeks

Low

3 – 4 weeks

 

3.4.2    Patch Management

Patching of all IWU-owned IT resources will be conducted in compliance with the IWU Patch Management Policy.

 

3.4.3    Remediation and Mitigation

Once an endpoint/host has been remediated, it must be scanned again for verification. If the problem is mitigated, but still shows up on scans, the mitigation must be documented for auditing purposes per 4.3 below.

 

4.0       Roles and Responsibilities

The following sub-sections assign appropriate responsibility to necessary individuals and groups:

 

4.1       Remediation Team

This team will meet on a monthly or emergency basis to determine the appropriate remediation effort for each vulnerability.

 

4.2       Information Security Officer (ISO)

The ISO will conduct the vulnerability scanning set forth in this policy and oversee the remediation team and its efforts, and review and approve any deviation from the recommended remediation actions.

 

4.3       Systems, Server, and Network Administrators

The administrators of the various IT resources must:

  • Maintain an accurate inventory of all resources under his/her control

  • Remediate or mitigate vulnerabilities identified in compliance with the Remediation Team

  • Notify the ISO of any new servers brought online

  • Produce required documentation for any mitigated or accepted risk caused from deviation from the recommended remediation actions

 

5.0       Exceptions

Exceptions to this policy must be documented by the resource owner and approved by the IWU Information Security Organization.  All exceptions must be reviewed annually.

 

6.0       Enforcement

Any faculty or staff found to be in violation of this policy is subject to disciplinary action up to and including termination.

 

7.0       References

  • Patch Management Policy
  • Change Control Policy

 

8.0       History

Date

 

Description of Change(s)

Author

2015-03-18

 

Draft Policy

Bill Maki

2015-03-24

 

Policy approved

Gary Green

 

 

 

 

 

 

 

 

 

 

 

 

9.0     Policy Information

Policy Number 400.01.10

You must to post a comment.
Last modified
13:43, 30 Mar 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.