Vulnerability Management

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Senior Associate Vice President (AVP) and Chief Information Officer (CIO) / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

March 28, 2022

Authority:

Configuration Management (ISO Domain 12: Operations Security Policy)

CSU Information Security Policy and Standards

ISO Domain 14: System Acquisition, Development and Maintenance Policy

Change Control (ISO Domain 12: Operations Security Policy)

ISO Domain 12: Operations Security Policy

ISO Domain 6: Organization of Information Security

Objective:

This Policy defines requirements and provisions governing the identification and remediation of vulnerabilities before they can be exploited. 

Definitions

Authenticated Scan:  A type of scan that requires appropriate credentials to authenticate to a machine to determine the presence of a vulnerability.

Business Owner:  An individual in a business unit that is responsible for making business decisions about a  third-party technology product and/or a cloud service, can handle communications to users and the vendor, and represents the “end users” of the business software/application. 

Threat: Person or agent that can cause harm to an organization or its resources. The agent may include other individuals or software (e.g. worms, viruses) acting on behalf of the original attacker.

Vulnerability: A flaw within an environment which can be exploited by a threat.

Statement:

Threats and vulnerabilities provide the primary inputs to SF State’s information security risk assessment process.  Vulnerability management requires constant monitoring, identification, and remediation in order to be effective. 

Purpose and Scope

Vulnerability and threat management activities include, but are not limited to, the following:

  • Strategic placement of scanning tools to continuously assess all information technology assets
  • Implementation of appropriate scan schedules and types (authenticated scan) based on asset criticality
  • Communication of vulnerability information to system owners or other individuals responsible for remediating vulnerabilities
  • Dissemination of timely threat advisories to system owners or other individuals responsible for remediating vulnerabilities
  • Consultation with system owners on mitigation strategies
  • Implementation of mitigation measures

SF State has established a Vulnerability Management Standard that provides guidance and required operating procedures for addressing vulnerabilities in a consistent and timely manner. 

In addition, patches shall be kept current in accordance with the SF State Patch Management Policy.

Implementation

The SF State Information Security Office (ISO) is responsible for overseeing the dissemination of threat alerts and vulnerability advisories to system/asset owners, campus stakeholders and interested parties. 

The ISO is tasked with maintaining the Vulnerability Management Standard and managing the enterprise scanning tool. 

Vendors are not permitted to conduct scans of university information systems without the express permission of the SF State ISO and the oversight/involvement of appropriate university staff designated by the affected unit.  At no time shall a computing device/system administrator ever conduct a scan on the public network or Internet unless such activity is authorized based on a contractual relationship.  Authorization must be in writing and approved by the ISO. 

Networked computing devices that appear to be causing disruptive behavior on the network may be scanned by the ISO using nonintrusive methods to investigate the source of the disruption. The ISO reserves the right to independently audit vulnerabilities of any campus asset at will or at the request of management. These audits will review existing scanning data if available and verify the status of vulnerabilities and mitigations.  If no scan data is available, the ISO may run a scan against the asset(s) in accordance with the Vulnerability Management Standard.

System/asset owners are responsible for determining the potential impact of a vulnerability and implementing mitigation measures in accordance with the Vulnerability Management Standard.  In the case of a third-party technology product and/or a cloud service, the SF State business owner is responsible for contacting the vendor to understand the risk, potential impact, and ensure vulnerabilities are mitigated.

Non-Compliance

Non-compliance with applicable policies and/or practices may result in suspension of procurement, network and systems access privileges. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.

References

Configuration change and patch management implementation guidelines
CSU Configuration Management Information Security Policy
CSU Change Control Information Security Policy
SF State Vulnerability Management Standard