Vulnerability Management

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Thursday, August 21, 2024

Authority:

Configuration Management (ISO Domain 12: Operations Security Policy)

ISO Domain 14: System Acquisition, Development and Maintenance Policy

Change Control (ISO Domain 12: Operations Security Policy)

ISO Domain 12: Operations Security Policy

ISO Domain 6: Organization of Information Security

Objective:

This Policy defines requirements and provisions governing the identification and remediation of vulnerabilities. 

Definitions

Authenticated Scan:  A scan that leverages valif credentials to access machine and therby gain a more comprehensive assessment of the system's vulnerabilities.

Business Owner:  An individual in a business unit that is responsible for making business decisions about a  third-party technology product and/or a cloud service, can handle communications to users and the vendor, and represents the “end users” of the business software/application. 

Threat: An entity that could negatively impact the confidentiality, integrity, or availability an organization's information assets.

Vulnerability: A flaw within an environment which can be exploited by a threat.

Statement:

Vulnerability management requires ongoing monitoring, identification, and remediation in order to be effective. 

Purpose and Scope

Vulnerability and threat management activities include, but are not limited to, the following:

  • Strategic placement of scanning tools to continuously assess information technology assets
  • Implementation of appropriate scan schedules and types (authenticated scan) based on asset criticality
  • Communication of vulnerability information to system owners or other individuals responsible for remediating vulnerabilities
  • Dissemination of timely threat advisories to system owners or other individuals responsible for remediating vulnerabilities
  • Consultation with system owners on mitigation strategies
  • Implementation of mitigation measures

SFSU has established a Vulnerability Management Standard that provides guidance and required operating procedures for addressing vulnerabilities in a consistent and timely manner. 

In addition, patches shall be kept current in accordance with the SFSU Patch Management Policy.

Implementation

The SFSU Information Security Office (ISO) is responsible for overseeing the dissemination of threat alerts and vulnerability advisories to system/asset owners, campus stakeholders and interested parties. 

The ISO is tasked with maintaining the Vulnerability Management Standard and managing the enterprise scanning tool. 

Vendors are not permitted to conduct scans of university information systems without the express permission of the SFSU ISO and the oversight/involvement of appropriate university staff designated by the affected unit.  At no time shall a campus system conduct a scan on the public network or Internet unless such activity is authorized based on a contractual relationship.  Authorization must be in writing and approved by the ISO. 

Networked computing devices that appear to be causing disruptive behavior on the network may be scanned by the ISO using nonintrusive methods to investigate the source of the disruption. The ISO reserves the right to independently audit vulnerabilities of any campus asset at will or at the request of management. These audits will review existing scanning data if available and verify the status of vulnerabilities and mitigations.  If no scan data is available, the ISO may run a scan against the asset(s) in accordance with the Vulnerability Management Standard.

System/asset owners are responsible for determining the potential impact of a vulnerability and implementing mitigation measures in accordance with the Vulnerability Management Standard.  In the case of a third-party technology product and/or a cloud service, the SF State business owner is responsible for contacting the vendor to understand the risk, potential impact, and ensure vulnerabilities are mitigated.

Non-Compliance

Non-compliance with applicable policies and/or practices may result in suspension of procurement, network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.