Policy 104 Information Security Vulnerability Management
- Purpose
- Applicability and Audience
- Information Security Roles and Responsibilities (100.01)
- Policy
- Policy Compliance
- Related Policies, Standards, and Guidelines
- References
- Policy Review
Purpose
Information security vulnerability management supports the mission of Washington University in St. Louis (WashU) by addressing security weaknesses that could compromise the Confidentiality, Integrity, and Availability (CIA) of organizational information resources. This policy communicates the core principles and objectives for information security vulnerability management, including planning, detection, mitigation, and patching.
Applicability and Audience
This policy applies to all information resources that are owned, leased, contracted, or operated by the University, including hardware, software, systems, and data.
This policy affects WashU community members with administrator or elevated permissions for applications, websites, devices, systems, and/or infrastructure.
All members of the WashU Community should be aware of this policy, including faculty, staff, students, and any agent engaged for contracted services to the university with access to WashU information, systems, and networks. This includes, but is not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers
Information Security Roles and Responsibilities (100.01)
Policy
104.00 Introduction
A security vulnerability is an attribute of an information system that a threat actor can exploit to compromise that system. Unmitigated vulnerabilities put WashU at risk of security events and incidents. Vulnerability management refers to the process of identifying, documenting, analyzing, prioritizing, and managing vulnerabilities in the operating environment to reduce these risks.
104.01 Vulnerability Management Planning
The OIS will create and maintain a vulnerability management plan that describes processes and procedures for identifying, documenting, analyzing, prioritizing, and managing vulnerabilities, via remediation or mitigation, before they can be exploited. The vulnerability management plan will include processes for 1) searching for vulnerabilities, 2) receiving, analyzing, and responding to vulnerability information from internal and external sources, and 3) proactively responding to cyberthreat intelligence. Refer to the Vulnerability Management Process and Procedure for additional details.
Roles and responsibilities for vulnerability detection are defined in Standard 204: Information Security Vulnerability Management to ensure accountability. Personnel with detection responsibilities will receive appropriate training for their roles.
104.02 Vulnerability Detection and Analysis
The OIS will periodically test WashU’s security posture by scanning information systems owned and managed by WashU using vulnerability detection tools. The frequency of scans is based upon the classification of systems and the risks associated with unmitigated threats and vulnerabilities. Detection activities will comply with all applicable requirements. See Standard 200: Information Security Classification, Labeling, and Handling for additional information about system classification.
Scan results will be validated, recorded, and analyzed. Vulnerability analysis will focus on determining how the detected vulnerabilities may impact WashU, the likelihood that the vulnerability will be exploited, and the resulting risk to the organization.
Detection and remediation methods will be tested, reviewed, and continuously improved, incorporating lessons learned and knowledge received from internal and external information-sharing sources.
104.03 Vulnerability Remediation, Mitigation, and Acceptance
The OIS will analyze vulnerabilities to determine the impact of exposure, the root cause of the vulnerability, and potential actions for remediation or mitigation. All identified vulnerabilities must be remediated, mitigated, or documented as accepted risks. Refer to Standard 204: Information Security Vulnerability Management for additional information.
Remediation takes the form of patches or fixes to remove the vulnerability from the system. If a patch is not available, or cannot be used for business reasons, a vulnerability may be mitigated by configuring one or more compensating controls that reduce the associated risk. If patching and compensating control options do not completely or mostly eliminate the vulnerability’s risk, senior executives with fiduciary duty, fiscal responsibility, and a level of responsibility proportionate to the level of risk may elect to accept the residual risk. Only personnel with the appropriate level of authority may accept a risk on behalf of WashU, where the appropriate level of authority is proportionate to the degree of risk. Refer to Policy 105: Information Security Risk Management and Standard 205: Information Security Risk Management for additional information.
Refer to Standard 204: Information Security Vulnerability Management for additional information about the timelines for vulnerability remediation and mitigation.
104.04 Patch Management
Regular Patching
All WashU systems will have up-to-date operating system security patches installed to protect information resources from known vulnerabilities.
System Custodians/System Administrators will ensure that vendor-supplied patches are applied according to product advisories, releases, and risk assessments.
Refer to Standard 204: Information Security Vulnerability Management for additional information about patching requirements and documentation.
Patching WashU-Managed Systems
Patches for WashU-managed systems will be tested and installed according to Standard 204: Information Security Vulnerability Management.
Patching Vendor-Maintained Systems
System Custodians/System Administrators will confirm and document that vendors have updated and patched the systems for which administrators are responsible.
Patching Co-managed and Shared-Responsibility Systems
In some cases, responsibility for managing/patching systems is shared between WashU Data Users and departments, Shared Infrastructure, or with a cloud vendor. System Custodians/System Administrators are responsible for patches and updates on co-managed and shared-responsibility systems according to the shared responsibility agreement. Data Stewards are responsible for ensuring these systems are patched and updated.
Patching Independently Managed Systems
System Custodians/System Administrators will ensure patches are applied to protect the security of the system and thereby other systems on the WashU network. Other risk-mitigation methods may be requested by the OIS.
Critical and Emergency Patches
The OIS may, at any time, elevate the risk and criticality of an update or a patch to ensure these are put in place in an expeditious manner.
Patching Exceptions
Software or systems that cannot be remediated according to the normal patch schedule must be replaced or removed from the WashU network unless the OIS approves an exception request.
The OIS will assess the risks associated with approving exceptions, assist in identifying compensating controls, and communicate recommendations to exception requestors and other appropriate parties.
Refer to Policy 114: Information Security Exceptions for additional detail.
Vulnerability and Patching Reports
The information obtained from vulnerability scanning will be shared with WashU personnel on a “need to know” basis to help eliminate similar vulnerabilities in other information systems.
The OIS will present vulnerability reports to university IT governance committees on a quarterly basis, at a minimum.
Reports must be treated as Confidential Information. Refer to 200: Information Security Classification, Labeling, and Handling for additional detail.
Rollback Procedure
System Administrators are responsible for appropriate testing procedures specific to the platform or system and will develop procedures for returning to a previous version (i.e., rollback) if there is a problem with a patch or update. Refer to Standard 204: Information Security Vulnerability Management for additional details.
Policy Compliance
The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exception from the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, the appropriate Area Specific Compliance Offices, Human Resources, or the Office of Student Conduct.
Internal Audit will independently review logical and physical controls, reporting findings and recommendations to senior management and the Board of Trustees.
Related Policies, Standards, and Guidelines
Policy 105: Information Security Risk Management
Policy 114: Information Security Exceptions
Standard 200: Information Security Classification, Labeling, and Handling
Standard 201: Information Security Logging and Event Monitoring
Standard 204: Information Security Vulnerability Management
References
National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)
Policy Review
This policy will be reviewed by the OIS at a minimum of every three years.
Policy Number and Title: 104 Information Security Vulnerability Management
Owner: Office of Information Security
Approved By: Cyber Security Executive Advisory Committee
Original Approval Date: May 5, 2019
Current Version Publication Date: November 27, 2024