Vulnerability Management Standard

Purpose

Instruct systems, applications, and services administrators on the appropriate use of vulnerability scanning for all University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy ( IV.06.02 ).

Applies To

This Standard applies to all University owned computing and information resources.

Definitions

See ISO Standards - Glossary and Iconography for details.

Standard

  • University owned systems SHALL be registered and configured by system, application, and service administrators in conjunction with the ISO to enable ongoing vulnerability management.
  • If a vulnerability has a significant impact, the ISO may instruct administrators to immediately patch the affected systems. Examples include a known exploited vulnerability or a vulnerability on a system with high-risk classified data.
  • Vulnerabilities identified MUST be addressed in a timely manner, based on their Vulnerability Risk, not to exceed:
    • 15 Days for Known Exploited Vulnerabilities (KEVs)
    • 30 days for critical risk vulnerabilities (9.0 -10.0)
    • 90 days for high-risk vulnerabilities (7.0 -8.9)
    • 180 days for medium risk vulnerabilities (4.0 -6.9)
    • As time allows for low-risk vulnerabilities (0.1 -3.9)
  • If a vulnerability is not addressed within the above timelines, network access to a vulnerable host may be removed until the vulnerability is addressed.

Classifications Designations

 

Information System Classification

M - Mandatory; R - Recommended; NR - Not Required;

EnvironmentHigh Risk (Red)Moderate Risk (Amber)Low Risk (Green)
ServersMMM
Workstations: laptops, desktopsMMM
Application Systems: Web-layer, middleware, database, etc.MMM
Network Infrastructure Devices: Routers, Firewall Switches, Aps, etc.MMM
Mobile Devices: tablets, smartphones, etc.MMM
Internet of Things (IoT) SystemsMMM

Requesting Exceptions

In the event the standard cannot be achieved by reasonable means, you can request an exemption by completing the Information Security Standard Exemption Request form . Be ready to provide details as to why the standard cannot be followed, the duration of the exemption request and mitigating controls being put in place to meet the requirement.

Reporting Inappropriate Use of Access

Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here .

Violations of this standard could include, failing to register the system with the vulnerability scanning service, not allowing root or administrator access to system from the vulnerability scanning service, or misuse of any of the information in the vulnerability scanning service.

Implementation Guidelines

Guidelines related to the implementation of this standard can be found on the Information Security Office website .

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu infosec@uoregon.edu.Additional information can also be found using the following resources:

Revision History

Revision History
VersionPublishedAuthorDescription
1.008/09/2022Information Security Office (ISO)Original publication
1.0107/20/2023Information Security Office (ISO)Added action for active exploited vulnerability
Publication
Status:Standard
Published:07/28/2023
Last Reviewed:07/20/2023
Last Updated:07/20/2023
Approvals
 Date DiscussedDate Approved
Information Security and Privacy - Governance Sub-Committee (ISP-GC)09/21/2022 
Chief Information Security Officer