Vulnerability Management Policy

I. Scope

This policy applies to all Indiana Wesleyan University-managed networks (on-premise and cloud) including all IWU owned hardware and software.

II. Policy Statement

Vulnerabilities within data networks, software applications, and operating systems are a constant threat to the university.  Vulnerability management is a critical component of the university’s information security program and is essential to help reduce potential financial, reputational, and regulatory risks. This policy establishes a framework for identifying, assessing, and remediating vulnerabilities on IWU owned devices connected to the Indiana Wesleyan University network.

III. Reason for the Policy

The Information Security Office (ISO) is charged with protecting the University’s electronic information.  To do so, the ISO conducts regular scans of the entire enterprise looking for misconfigured or unsecured IWU owned systems.  The ISO then works with system owners to verify and remediate discovered vulnerabilities.

IV. Procedures

Baseline Expectations

All systems are expected to be running currently supported operating systems that are patched and maintained regularly.  Individuals responsible for systems connected to the IWU network are expected to allocate or obtain resources to remediate issues identified that are not otherwise being addressed by a regular patching cadence.

Vulnerability Management Team

The CISO shall charter a Vulnerability Management Team, chaired by the CISO, led by the Security Administrator, and consisting of members as detailed by the VMT charter.  The members will lead in their respective areas and are accountable to the CISO, Deputy CIO, and CIO for all remediation activities.

The VMT will meet regularly to review and evaluate patch and vulnerability scan data, assign priorities to vulnerabilities and determine what remediation projects will be assigned and executed for the upcoming days/months.  Emergency VMT meetings or ad-hoc meetings with specific VMT members will take place as needed to deal with urgent threats.

The VMT leadership creates remediation projects in conjunction with IT leadership, reports on progress in remediating vulnerabilities, and escalates issues and risks relating to non-remediated vulnerabilities.  All vulnerability remediation will follow current IWU change control procedures.

Program Management and Roles

Vulnerability Management is a service component of the IWU ISO.  The Chief Information Security Officer (CISO) is the service owner and is responsible for the oversight of this program.  The CISO works in conjunction with the IWU Security Administrator to develop the scanning procedures and to hold regular meetings with the systems owners.

The CIO is informed by the CISO as to the status of the vulnerability program and also has the final decision when a vulnerability remediation delay or risk acceptance request is submitted by a system owner. In addition, the CISO will inform and consult with the Deputy CIO on all submissions before the regular program cadence review with the CIO.

System and Application Administrators are responsible for in-depth assessment and timely application of vendor-supplied security patches and other remediation steps for systems under their management and supervision.  This includes responding to vulnerability alerts that are issued by vendors, the VMT, or the ISO and carrying out timely remediation or compensating controls contained in such notifications per the Vulnerability Management policy.  Outside of vendor or ISO alerts, system and application administrators are expected to communicate to leadership if a system or application is at an emergency, high or critical risk of a vulnerability being exploited along with plans for the remediation to address the risk.  Additionally, the system owners are responsible for the updating and accuracy of the inventory of assets they are responsible for.

Vulnerability Scanning

Vulnerability management tools evaluate patch levels, in some cases apply patches, scan for configuration weaknesses and identify software vulnerabilities on electronic devices and the software applications running on them.  Common vulnerability management tools consist of patch management tools, vulnerability scanners, reporting, and validation tools.  Vulnerability scanning tools work by performing authenticated and unauthenticated checks.

Scanning technologies work best by performing authenticated checks directly on a system.  A service account with the appropriate privileges is needed for these tools to work effectively.  The Security Administrator shall supply documentation as to how to configure the needed service account.

Unauthenticated scanning is typically conducted during the inventory, discovery, and assessment steps within the program lifecycle.

The ISO may occasionally perform tactical scanning of any IWU system or application to find vulnerabilities that pose an imminent threat.  When such scans are performed, every effort will be made to notify system owners in advance.  An email notification will be sent to the system owner or IWUIT email distribution list to advise the scope and timing of the scan.

The ISO also performs web application scanning as part of its ongoing security risk assessment.  The scanner detects specific web vulnerabilities such as SQL injection and cross-site scripting.  The scanner will crawl the websites, checking for vulnerabilities across host servers that support web applications. 

The vulnerability scanning cadence and procedural information can be found in the Vulnerability Management KB

Cloud-Based Systems and Applications

The ISO is to work in conjunction with any third-party hosting company to either obtain regular scanning reports of IWU hosted data or conduct scanning with IWU vulnerability scanning applications to ensure that systems are kept up to date consistently.

Compliance and Responsibilities

If patches or mitigating controls cannot be deployed within the remediation timeframe, the responsible system owner/administrator has the responsibility to submit a Vulnerability Risk Acceptance Form for a deferment as defined by the Vulnerability Management Process and Procedures KB.  The form will then be reviewed and determined if acceptable by the CISO and CIO.

Only the CIO, upon advisement of the CISO, can evaluate any risk acceptance request and determine if the request is permitted or to determine if other actions are needed to address the risk.

Prioritization of Remediation

The IWU scanning tool will prioritize vulnerabilities based on a proprietary threat rating system called vulnerability priority rating or VPR.  The criticality of a vulnerability is determined by two components: technical impact and threat. 

Technical impact measures the impact on confidentiality, integrity, and availability following exploitation of a vulnerability. It is equivalent to the CVSSv3 impact sub score. The threat component reflects both recent and potential future threat activity against a vulnerability.

The VPR score is taken into consideration along with the internal IWU system rating for each system and application.  The IWU system rating is determined by several factors; the data held within the system or application if the system is public-facing, and the criticality of the system to the day-to-day operations of the university.

Once both the VPR and IWU risk rating is compiled a final analysis is then provided to the VMT as a final IWUR (risk) score used for prioritization. 

Scanning Frequency and Remediation

A risk-based analysis of the security of information systems should guide the frequency and comprehensiveness of vulnerability scans.  Scanning frequency details can be found in the Vulnerability Scanning and Remediation Procedures KB article.

After a vulnerability is detected, analyzed, communicated to the VMT and a fix or compensating control is available the clock for remediation begins. 

All critical and high-level vulnerabilities must be remediated within the defined timeframe and typically have a shorter window for resolution.  Vulnerabilities with less severity or risk can be resolved based on staff availability but cannot exceed the maximum allowable remediation window.  The detailed remediation timeframes can be found in the Vulnerability Management KB.

Exemptions from the Scanning Process

Vulnerability management scanning is an essential practice for a secure organization and the goal is to have 100% participation.  If participation creates issues for a system, the system owner shall work directly with the ISO and/or the VMT to review possible options.  Those options might include disabling a specific vulnerability check that may be causing an issue.  An approach that solves the specific problem will be preferred over a general exemption as more general exemptions may cause critical vulnerabilities to be missed.

Exemptions from vulnerability scanning for an entire system will be granted only after a Vulnerability Risk Acceptance Form has been signed off by the system owner’s director and submitted to the CISO for review and approval by the CIO.

Note: Private network and/or departmental or host-based firewall rules are generally not considered sufficient compensating controls because these rules can be disabled and/or removed for troubleshooting purposes which would leave these systems open to attack.

V. Definitions

Change Control: The systematic approach to managing all changes made to a system or application.  The purpose is to ensure that no unnecessary changes are made, all changes are documented, services are not unnecessarily disrupted and resources are used efficiently. Change Control is a component of change management.

 

CIO: Chief Information Officer – Leads IT organization

 

CISO: Chief Information Security Officer – Leads information security program.

 

Compensating control: A mechanism that is put in place to satisfy the requirement for a security measure that is deemed too difficult or impractical to implement at present.

 

Deputy-CIO: Deputy Chief Information Officer – Oversees all IWU IT team operation.

 

ISO: Information Security Office

 

Managed networks:  Any network that contains IWU production systems.  This includes wired and wireless systems and applications.  Networks or subnets that student traffic traverses or student devices are not applicable.

 

System Owner:  An individual, typically an IT technical administrator, that is ultimately responsible for the asset, its associated risk, and the liability if that asset becomes compromised.  This individual or group will drive the remediation of any system or application risk.

 

Vulnerability: A flaw or weakness in a system or application security procedure, design, implementation, or internal control that could be leveraged or exploited into causing a security breach or violation of the system’s security policy.

Vulnerability Management: The practice of identifying, classifying, remediating, and mitigating vulnerabilities.

 

VMT: Vulnerability Management Team

VI. Sanctions

Violation of this policy may result in disciplinary action by the IWU Deputy CIO and/or CIO.  In addition, non-compliance may lead to the disconnection of a critical or highly vulnerable system if the appropriate remediation is not achieved within the vulnerability remediation procedures timeline.