Vulnerability Managment Policy
1.0 Purpose
This policy establishes the vulnerability management program for Indiana Wesleyan University. As new vulnerabilities are discovered and potentially exploited by malicious individuals, Indiana Wesleyan University must ensure that its computing resources are remediated against those known vulnerabilities.
2.0 Scope
In compliance with Indiana Wesleyan University policies and procedures, this policy shall apply to all University-owned information technology resources including, but not limited to, workstations, laptops, servers, switches, routers, firewalls, network-based printers and copiers, and other network attached resources.
3.0 Policy
The following sub-sections detail the requirements and expectations of this policy:
3.1 Approved Tools
The information security officer will approve the tools permitted for scanning IWU-owned systems. Third-party vendors may use the tools of their choosing. Internet-facing hosts will be scanned by a Payment Card Industry (PCI) approved scanning vendor (ASV) in compliance with the current PCI Data Security Standards (DSS).
3.3 Vulnerability Scanning Schedule
IWU will conduct vulnerability scanning on a schedule no less than quarterly. The information security officer will set the schedule with input from teams that may be affected by the scanning and by Change Control, and make the schedule available to the Change Control Group, and the Remediation Team. Special arrangements may be made for ad hoc scans to verify a vulnerability has been successfully remediated, or at the request of the information security officer, Change Control, or the endpoint owners.
3.3.1 Existing Hosts
Workstations and Laptops: A statistical sample will be selected and scanned quarterly.
Servers: All servers will be scanned monthly.
Infrastructure Equipment: All infrastructure equipment, such as switches, routers, and firewalls, will be scanned quarterly.
Miscellaneous Hosts: All other network-attached hosts, such as web cameras and printers, will be scanned quarterly.
3.3.2 New Hosts
New servers are to be reported to the Information Security Officer to be included in the monthly vulnerability scan process. All other hosts, will be identified in a quarterly enumeration of the IWU network.
3.3.3 Internet-Facing Hosts
All Internet-facing hosts must be scanned at a minimum quarterly in compliance with the PCI DSS. The scanning must be conducted by an approved scanning vendor (ASV).
3.4 Remediation
3.4.1 Risk Level
Each vulnerability, outside of the normal patch management process, will be assigned a risk level of critical, high, medium, or low. Remediation of vulnerabilities will adhere to the following schedule:
Risk Level |
Remediation Schedule |
Critical |
1 – 3 days |
High |
Within 1 week |
Medium |
2 – 3 weeks |
Low |
3 – 4 weeks |
3.4.2 Patch Management
Patching of all IWU-owned IT resources will be conducted in compliance with the IWU Patch Management Policy.
3.4.3 Remediation and Mitigation
Once an endpoint/host has been remediated, it must be scanned again for verification. If the problem is mitigated, but still shows up on scans, the mitigation must be documented for auditing purposes per 4.3 below.
4.0 Roles and Responsibilities
The following sub-sections assign appropriate responsibility to necessary individuals and groups:
4.1 Remediation Team
This team will meet on a monthly or emergency basis to determine the appropriate remediation effort for each vulnerability.
4.2 Information Security Officer (ISO)
The ISO will conduct the vulnerability scanning set forth in this policy and oversee the remediation team and its efforts, and review and approve any deviation from the recommended remediation actions.
4.3 Systems, Server, and Network Administrators
The administrators of the various IT resources must:
-
Maintain an accurate inventory of all resources under his/her control
-
Remediate or mitigate vulnerabilities identified in compliance with the Remediation Team
-
Notify the ISO of any new servers brought online
-
Produce required documentation for any mitigated or accepted risk caused from deviation from the recommended remediation actions
5.0 Exceptions
Exceptions to this policy must be documented by the resource owner and approved by the IWU Information Security Organization. All exceptions must be reviewed annually.
6.0 Enforcement
Any faculty or staff found to be in violation of this policy is subject to disciplinary action up to and including termination.
7.0 References
- Patch Management Policy
- Change Control Policy
8.0 History
Date |
Description of Change(s) |
Author |
|
2015-03-18 |
Draft Policy |
Bill Maki |
|
2015-03-24 |
Policy approved |
Gary Green |
|
2017-10-17 |
Policy reviewed |
Michael Madl |
|
|
|
|
|
|
|
|
9.0 Policy Information
Policy Number 400.01.10