104 Information Security Vulnerability Management
The following table shows who is responsible for ensuring compliance with the policy requirements listed below.
| Requirement | All Users | System Owners | Data Stewards | System Custodians/ Administrators | Senior Executives |
|---|---|---|---|---|---|
| Ensure that vendor-supplied patches are applied according to product advisories, releases, and risk assessments (p. 3). | ✔ | ✔ | |||
| Confirm and document that vendors have updated and patched the systems for which administrators are responsible (p. 3). | ✔ | ||||
| May elect to accept the residual risk posed by a vulnerability (p. 3). | ✔ | ||||
| Patches and updates co-managed and shared-responsibility systems according to the shared responsibility agreement (p. 4). | ✔ | ||||
| Ensure that co-managed systems are patched and updated (p. 4). | ✔ |
Summary of Policy
The policy communicates core principles and objectives for vulnerability management, including planning, detection, mitigation, and patching. The policy includes information about the following topics:
- Vulnerability management planning
- Vulnerability detection and analysis
- Vulnerability remediation, mitigation, and acceptance
- Patch management for the following categories of systems: WashU-managed, vendor-maintained, co-managed and shared responsibility, and independently managed
- Regular, critical, and emergency patching
Full Text of Policy
Related Information
105 Information Security Risk Management
This policy describes how the Office of Information Security (OIS) helps manage technical and process risks to the Confidentiality, Integrity, and Availability (CIA) of information resources at Washington University in St. Louis (WashU).
114 Information Security Exceptions
This policy clearly communicates how the OIS handles exception requests when compliance with published policies and standards is not possible.
200 Information Security Classification, Labeling, and Handling
This standard defines classification categories and control zones for data, information, and systems at Washington University in St. Louis (WashU).
201 Information Security Logging and Event Monitoring
This standard describes logging practices for events occurring within networks and systems of Washington University in St. Louis (WashU).
204 Information Security Vulnerability Management
DRAFT This standard establishes a structured approach to identifying, assessing, prioritizing, and mitigating vulnerabilities within the IT infrastructure at Washington University in St. Louis (WashU).