Information Security Office Menu

Vulnerability Management Standard

Purpose

Instruct systems, applications, and services administrators on the appropriate use of vulnerability scanning for all University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy ( IV.06.02 ).

Applies To

This Standard applies to all University owned computing and information resources.

Definitions

See ISO Standards - Glossary and Iconography for details.

Standard

• University owned systems SHALL be registered and configured by system, application, and service administrators in conjunction with the ISO to enable ongoing vulnerability management.
• If a vulnerability has a significant impact, the ISO may instruct administrators to immediately patch the affected systems. Examples include a known exploited vulnerability or a vulnerability on a system with high-risk classified data.
• Vulnerabilities identified MUST be addressed in a timely manner, based on their Vulnerability Risk, not to exceed:
  • 15 Days for Known Exploited Vulnerabilities (KEVs)
  • 30 days for critical risk vulnerabilities (9.0 -10.0)
  • 90 days for high-risk vulnerabilities (7.0 -8.9)
  • 180 days for medium risk vulnerabilities (4.0 -6.9)
  • As time allows for low-risk vulnerabilities (0.1 -3.9)
• If a vulnerability is not addressed within the above timelines, network access to a vulnerable host may be removed until the vulnerability is addressed.

Classifications Designations

Requesting Exceptions

In the event the standard cannot be achieved by reasonable means, you can request an exemption by completing the Information Security Standard Exemption Request form . Be ready to provide details as to why the standard cannot be followed, the duration of the exemption request and mitigating controls being put in place to meet the requirement.

Reporting Inappropriate Use of Access

Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here .

Violations of this standard could include, failing to register the system with the vulnerability scanning service, not allowing root or administrator access to system from the vulnerability scanning service, or misuse of any of the information in the vulnerability scanning service.

Implementation Guidelines

Guidelines related to the implementation of this standard can be found on the Information Security Office website .

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu infosec@uoregon.edu.Additional information can also be found using the following resources:

• University Information Security Program Policy
  • https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-security-program
• University Acceptable Use Policy
  • https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30997
  • https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30999
• University Information Asset Classification & Management Policy
  • https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-asset
• Data Security Classification Table
  • https://infosec.uoregon.edu/data-security-classification-table
• Vulnerability Scanning Service Overview (must be logged into TDX to view):
  • https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=120397
• Vulnerability Scanning FAQ (Frequently Asked Questions) (must be logged into TDX to view):
• https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=120800

Revision History