Vulnerability Management

Standard number: DS-21
Date issued: 3/5/18
Date last reviewed: 3/5/18
Version: 1.0
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance

This Standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.

I. Overview

Vulnerabilities within networks, software applications, and operating systems are an ever present threat, whether due to server or software misconfigurations, improper file settings, or outdated software versions. Vulnerability management is a critical component of the university’s information security program, and is essential to help reduce its potential financial, reputational and regulatory risks. This Standard establishes a framework for identifying, assessing, and remediating vulnerabilities on devices connected to University of Michigan networks.

Vulnerability scanning is limited to reviewing IT system and application configuration, and does not open or review content found in email or digital documents.

Federal or state regulations, industry standards such as PCI-DSS, or contractual agreements may require additional actions that exceed those included in this Standard.

II. Scope

This Standard applies to the Ann Arbor, Dearborn, and Flint campuses, including all units, schools, colleges, and institutes, and Michigan Medicine.

This Standard applies to all University of Michigan-owned and managed networks (public and private), including but not limited to computer workstations and servers, network switches and routers, networked printers, scanners, copiers, digital telecommunications, and personally owned devices.

III. Roles and Responsibilities

University Chief Information Security Officer (CISO)

The CISO is authorized by the university’s executive officers to take action, as needed, to ensure that unremediated systems or applications do not pose a threat to U-M information resources. When a critical vulnerability is not remediated within a required timeframe or is improperly remediated, the CISO may temporarily block the system or application from the network until such time as the remediation is effectively completed.

Information Assurance (IA)

IA conducts routine enterprise-wide scans of devices connected to U-M networks for the purpose of identifying and assessing system and application vulnerabilities on those devices. IA staff provide assistance in interpreting scan results, reporting false positives, and troubleshooting scan issues. IA also issues alerts and advisories about known vulnerabilities and recommended remediation based on information received from vendors, reliable websites, MS-ISAC, U.S. CERT, and other trusted information security sources.

Unit IT Staff

Unit IT staff are responsible for coordinating the vulnerability management program for their area. This may include the implementation of a unit-specific vulnerability scanning system, in addition to the enterprise scanning described above, and the imposition of stricter standards for unit systems than required here. It is the responsibility of unit IT staff to opt in to IA’s monthly scanning service.

System and Application Administrators

System and application administrators are responsible for assessment and timely application of vendor-supplied security patches and other remediation for systems under their management and supervision. This includes monitoring vulnerabilities identified in IA-issued advisories or alerts, and carrying out timely remediation contained in such alerts. Staff are also responsible to communicate to unit leadership if unit based systems and applications are at a high or critical risk of a vulnerability being exploited along with plans for remediation to address the risk.

V. Standard

Vulnerability scanning is an automated task that identifies software vulnerabilities, missing system patches, and improper configurations. Regular vulnerability scanning along with the timely and consistent application of vendor-supplied security patches or other mitigation of a reported vulnerability are critical components in protecting the U-M network, systems, and data from damage or loss, as well as meeting regulatory and compliance requirements.

Vulnerability assessment provides visibility into the vulnerability of systems and hosted applications deployed on the U-M network. Used effectively, vulnerability management helps to ensure that software, settings, and security configurations are kept up-to-date. Further, systemic weaknesses or deficiencies can be detected by patterns or trends identified in scans of the campus network.

Vulnerability Scanning Frequency

Systemic weaknesses or deficiencies in systems or applications can be detected by patterns or trends identified in scans of the campus network. A risk-based analysis of security of information systems should guide the frequency and comprehensiveness of vulnerability scans.

  • Quarterly Scanning: IA performs routine quarterly vulnerability assessment scans on the entire network IP address space registered to U-M; U-M units can request that IA conduct more frequent scans.
  • Monthly Scanning Requirements: All systems, databases, or applications that create, maintain, process, transmit, or store Restricted or High data must be scanned on a monthly basis.

Vulnerability Prioritization

Remediation and mitigation should be prioritized based on the degree of associated severity and the impact on the confidentiality, integrity, or availability of the vulnerable system. Vulnerability severity is determined by the rating provided by NIST’s Common Vulnerability Scoring system (CVSS). All validated high (7-8.9 on CVSS scale) and critical (9-10) vulnerabilities should be remediated as defined in the “Remediation Timeframes” section below.

Remediation Timeframes

Critical and high vulnerabilities must be resolved within the timelines listed in the table below.

Vulnerabilities with less severity can be resolved based on availability of staff resources to address them.

  • Action Plan By is the time from receipt of the scan report to identify a planned resolution.
  • Resolved By is the time from the receipt of the scan report to implementation of the remediation.
Priority Level Action Plan By Resolved By
Critical (CVSS 9-10) 2 weeks 1 month
High (CVSS 7-8.9) 1 month 3 months

Note: In cases where IA has issued a specific alert for a critical vulnerability, requirements within the alert supersede those in the table.

Remediation Expectations

After a vulnerability is detected, and a fix is available, the timeline for remediation begins. Vulnerabilities that potentially put Restricted or High data or mission critical systems at risk have the shortest timeframe for implementing recommended mitigation. Detected vulnerabilities are to be remediated in accordance with the timeframes described in this Standard unless an exception from IA has been reviewed and approved.

Development of a Corrective Action Plan

Corrective action plans should:

  • Validate that the vulnerability is properly identified and prioritized;
  • Action-oriented descriptions of the steps that will be taken to mitigate the vulnerability;
  • Ensure that appropriate resources are or will be available to resolve the vulnerability;
  • Identify milestones necessary to fully address and resolve the vulnerability;
  • Ensure that the schedule for resolving the vulnerability is achievable.

Cloud and Third Party Vendor Applications

This Standard applies to cloud or third party vendor applications. Third party vendors that work with sensitive university data have satisfactorily met the data security provisions of Procurement General Policies and Procedures (SPG 507.01).

Identified third party vulnerabilities with a CVSS score of 7+ must remediate in accordance with the above listed timeframes. This Standard does not cover cloud or third party vendor applications not under the direct control of U-M that function outside of the university networks.

VI. Violations and Sanctions

Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this Standard may be limited or disconnected.

Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.

Any U-M department or unit found to have violated this policy may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.

VII. Implementation

Information Assurance is responsible for the implementation, maintenance, and interpretation of this Standard.

VIII. References

IX. Related NIST Security Controls