IT-Standard 03

Date Drafted: 03/09/2021
Approved Date: 09/17/2021
Reviewed Date: 09/27/2023

Description

A set of requirements to ensure that vulnerabilities are remediated in a timely manner.

Thousands of devices are connected to the University of Iowa network.  These devices (workstations, laptops, tablets, phones, etc.) contain and/or have access to data that is required for regular business operations of the university.  Over time, vulnerabilities are identified within these systems.  These vulnerabilities must be addressed in a timely manner, in order to avoid disruption to university operations and to preserve the confidentiality, integrity and availability of data. 

The Information Security and Policy Office (ISPO) maintains various tools to scan for and identify vulnerabilities; support staff for the individual systems are responsible for taking steps to remediate these vulnerabilities.  From time to time, ISPO will also conduct penetration testing on certain systems; similar responsibilities for remediation apply to issues identified during penetration testing.

A formal vulnerability management process is required to protect data managed by the university, and to meet regulatory, contractual and legal requirements.  This standard defines the responsibilities of IT personnel in supporting the vulnerability management process.

Scope:

This standard applies to all institutionally owned, networked devices including, but not limited to, desktop, laptop and server computing devices.  In addition, non-institutionally owned devices are expected to have vulnerabilities remediated in an equivalent manner, whenever these devices are used for university business or connected to the university network.

Roles and Responsibilities:

  1. The Information Security and Policy Office (ISPO) will
    1. maintain a service to scan the network, on a periodic basis, for vulnerabilities on computing devices;
    2. send vulnerability reports to the individuals responsible for supporting these devices;
    3. manage the use of third parties to provide penetration testing services.
  2. Individuals responsible for supporting computing devices are expected to
    1. adhere to the remediation schedule defined below;
    2. mark false positives within the scanning console;
    3. submit an exception request if a vulnerability cannot be remediated within the required time frame.

Controls:

  1. Vulnerabilities are expected to be remediated within the following time frame.  Severity of the vulnerability will be defined within the report sent to support staff.  The time frame is calculated starting from the point at which the report is sent from ISPO to system support staff.
    1. Critical vulnerabilities: 30 days
    2. Severe vulnerabilities: 60 days
    3. All other vulnerabilities: 90 days
  2. In some cases, more urgent remediation may be required (e.g., active exploitation on the university network). ISPO will alert support staff and define a specific time frame for the resolution of these vulnerabilities. 
  3. Units that handle sensitive data (e.g., data regulated by HIPAA, PCI, etc.) may be required to remediate vulnerabilities on a more expedited schedule, as required by contract, regulation or law.  Support staff are required to be aware whether such requirements apply to their systems.
  4. If an exception request is granted by ISPO, there may be compensating controls specified as part of the exception process.  In most cases, exceptions will be granted for a limited time (i.e., not permanent).

Enforcement:

  1. Vulnerabilities that are not remediated within the time frame specified above, or which are actively being exploited, may cause a device to be isolated from the network.
  2. Repeated failure to remediate vulnerabilities within a timely manner may require additional engagement from ISPO, Network Engineering Services (NES) and other groups in order to determine the cause of non-compliance and to recommend appropriate steps.