Vulnerability Management Standard

Description

An important component of an information security program is to identify and remediate known system vulnerabilities. This Standard will define the scope and frequency of identification and remediation and is included in the NIST Risk Assessment control group.

Scope

All systems attached to Lehigh University networks or containing University data should be scanned and regularly patched for security. 

Security Requirements

NIST 800-171 compliance requires Lehigh to perform the following:

• Scan for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported;

• Employ vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

  1. Enumerating platforms, software flaws, and improper configurations;

  2. Formatting checklists and test procedures; and

  3. Measuring vulnerability impact;

• Analyze vulnerability scan reports and results from security control assessments;

• Remediate legitimate vulnerabilities in accordance with an organizational assessment of risk; and

• Share information obtained from the vulnerability scanning process and security control assessments with system owners and stewards to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).     

PCI compliance requires Lehigh to perform the following:

• Use reputable outside sources for vulnerability information (6.1)

• Assign a risk ranking to vulnerabilities that includes identification of all "high" risk and "critical" vulnerabilities (6.1)

• Patch critical vulnerabilities within 30 days (6.2)                      

HIPAA compliance requires Lehigh to perform the following:

• ePHI environments should be periodically (once per month) scanned for vulnerabilities and vulnerabilities will be addressed according to this standard.

Implementation

1. The Office of Information Security will  provide a service to scan and provide a risk rating for vulnerabilities. The service will be managed by the Vulnerability Manager who will be responsible for operating the scanning system and will advise system owners on security. The scanning system will be SCAP compliant and allow for comparison of results to track time to remediate each discovered vulnerability. 

2. All system owners are responsible for ensuring their systems are scanned (credentialed or trusted) for vulnerabilities weekly and vulnerabilities are resolved within the appropriate time frame. 

• Information resources having security vulnerabilities identified as critical must be remediated within 30 days or they will be isolated from external access and removed from the network.

• False positive results from the system will be documented within the vulnerability management system.

3. Hardware or software which has reached the end of life (EOL) and is no longer receiving security patches from a vendor or community will be isolated from the network and/or data after 30 days. 

4. Vulnerability and network scanning of devices in the Lehigh environment may only be conducted by LTS or by a person authorized by the CISO. All unsanctioned scanning will be treated as a threat to the network and the Lehigh community. 

5. The CISO or designee may grant exceptions to the policy to avoid business interruptions, assuming mitigating controls can be put in place.

Related

NIST 800-171 Rev. 2 - NIST Special Publication (SP) 800-171 Rev. 2 (Withdrawn), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Definitions

SCAP Compliant - Security Content Automation Protocol (SCAP) is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

System Owner - Responsible for an information system, including security. They will ensure the system is properly configured, receives regular security scans and appropriate patching is completed to remediate security vulnerabilities.

Vulnerability Manager - Responsible for the vulnerability scanning service. Supports system owners efforts to scan and remediate security vulnerabilities.Revision History