Vulnerability Management Policy

Objective

This policy and associated guidance covers a well-defined and organized approach for vulnerability management to reduce infrastructure risks and integrate with patch management.  To ensure confidentiality, integrity, and availability of WashU systems Office of Information Security (OIS) and Information Technology (IT) will develop a documented vulnerability management process for the efficient and effective assessment and mitigation of IT infrastructure risks.

Applicability

This policy applies to systems connected to any WashU network, including all information resources that are owned, leased, vended, contracted, or operated by the university. This includes hardware, software, systems, and data. 

Audience

The audience for this policy is all WashU faculty, staff, and students.  It also applies for all other agents of the university with access to WashU information and network for contracted services. This includes, but not limited to partners, affiliates, contractors, temporary employees, trainees, guests, and volunteers.  The titles will be referred collectively hereafter as “WashU community”.

Roles & Responsibilities
Policy

The OIS will document, implement, and maintain a vulnerability management process for WashU. The process will be integrated into the IT flaw remediation (patch) process managed by IT. 

Appropriate vulnerability assessment tools and techniques will be implemented.  Selected personnel will be trained in their use and maintenance.  The OIS will periodically test the security posture by scanning the information systems owned and managed by WashU with vulnerability tools.  The frequency of the scans will be scheduled based upon the level of risk and data classification. 

The OIS will analyze the scans and their reports for vulnerability impact for WashU. The OIS will deliver a formal report that will identify the vulnerabilities requiring remediation or mitigation based on risk, patch requirements, and classification documented in the Vulnerability Management Operational Process.

Reference the Vulnerability Management Standard for more information about vulnerability remediation and mitigation timelines.  The OIS will assist with remediation or mitigation planning as needed. 

The information obtained from the vulnerability scanning process will be shared with appropriate personnel throughout the organization on a “need to know” basis to help eliminate similar vulnerabilities in other information systems. 

Policy Compliance

The Office of Information Security (OIS) will evaluate compliance with this policy using various methods, including reports, internal and external audits, and feedback to the policy owner. If compliance with this policy is not feasible, technically possible, or practical users should request an exceptionfrom the OIS. Exceptions to this policy must be approved by the OIS in advance. Non-compliance will be addressed with management, Area Specific Compliance Office, Human Resources, or the Office of Student Conduct. 

Related Policies

None

Reference

Security Controls – NIST 800-53 Controls – WU_SSP_Controls_Workbook_DOT Rev3- RA-5 Vulnerability Scanning.  (Refer to implementation Standard.)

Vulnerability Management Process

Vulnerability Management Standard

Policy Review

This policy will be reviewed by the OIS at a minimum of every three years. 

Title: Vulnerability Management Policy
Version Number: 1.0
Reference Number: 
RA-01.03
Creation Date: February 7, 2019
Approved By: 
Security and Privacy Governance Committee
Approval Date: 
May 5, 2019
Status: Final
Scheduled Review Date: June 1, 2022
Revision Date: April 6, 2023
Revision Approval Date: 
April 6, 2023
Policy Owner: 
Office of Information Security