Vulnerability Management Standards

Last Edited: 3/5/14 by Kevin Hayes

C&IT performs monthly security scans and as-needed external network penetration tests.  Results from these security tests that are deemed "critical" or "high" require prompt action from system administrators and system owners to prevent security incidents, compromises or data breaches.

There are four ways in which a system administrator can address a security vulnerability ticket:

  1. The listed vulnerability can be remediated or eliminated.
  2. The listed vulnerability can be determined to be a false positive.
  3. The listed vulnerability can be mitigated using compensating controls.
  4. The listed vulnerability can be accepted with its associated risk by senior management.

All critical level security vulnerabilities must be addressed within 30 days.

All high level security vulnerabilities must be addressed within 90 days.

If these deadlines are not met, unresolved items will be escalated to the Chief Information Officer (CIO), as well as the School/College/Division head for systems not under control by Computing & Information Technology.  Consequences may include system deactivation per the Acceptable Use of Information Technology Policy (University Policy 00-1.)

Detailed Standards Information

As part of the Information Security program at Wayne State University, a network vulnerability scanner is used to identify possible risks to the confidentiality, integrity, and availability of University systems, networks and data.  This document outlines the standards by which Computing & Information Technology discovers, classifies, and manages these possible vulnerabilities at the University.

The Information Security staff at Wayne State University, under the authority of the Chief Information Officer, maintains a network vulnerability scanner.  This system is constantly kept up to date with information and signatures of the latest vulnerabilities that can be exploited on University systems.

No attempts should be made without approval from Information Security staff to explicitly block any scans or access from the network vulnerability scanner.

A network vulnerability scan is automatically performed against the entire University network at the beginning of each month.  Systems residing in the Computing Center will be scanned starting at 6:00pm on the 1st of each month.  The rest of University network will be scanned on the subsequent days, with the scans completing on approximately the 9th of the month.

On completion of the network vulnerability scan, a ticket in the WSU Tech Solutions system will automatically be created for each critical or high level vulnerability.

Each of these tickets will include all information available from the network vulnerability scanner, including a description of the vulnerability, potential impact, risk rating, remediation instructions, and links to applicable security advisories.

Medium level vulnerabilities will undergo a cursory review by Information Security staff, however tickets will only be created for items which staff believe pose a legitimate risk to the University.

The risk level for each vulnerability (Critical, High, Medium) is governed by a specific score (CVSS Score).  The CVSS score is calculated based on several metrics, including exploitability, attack complexity, impact, and level of authentication needed to exploit the vulnerability.

Once a ticket is created in WSU Tech Solutions, it will be assigned to a system administrator responsible for the affected system.  Information Security staff will use all available resources to attempt identification of the proper system administrator.

If an assigned system administrator believes that another individual should be responsible for addressing the vulnerability, then the currently assigned system administrator should update the Tech Solutions ticket with a short description stating the reason for re-assignment, and then request the Information Security staff add the appropriate person to the ticket as a contact or assignee.

There are four ways in which a system administrator can address a ticket:

  1. The listed vulnerability can be remediated.

A system administrator can apply the recommended or necessary patches, updates, or configuration settings needed to eliminate the vulnerability. 

  1. The listed vulnerability can be determined to be a false positive.

A system administrator can identify that the existence of the listed vulnerability is in error.

  1. The listed vulnerability can be mitigated using compensating controls.

A system administrator can work to limit or reduce the exposure of a vulnerability if it is determined that proper remediation cannot be completed within 30 days for critical level vulnerabilities, and 90 days for high level vulnerabilities.

  1. The listed vulnerability can be accepted with its associated risk by senior management.

In rare instances where no remediation or mitigation is possible, senior management can agree to accept all associated risk exposed by a specific vulnerability.

If a system administrator chooses to remediate a vulnerability, they should update the ticket's description periodically describing their remediation efforts, and make a final update when they believe the vulnerability is fully remediated, and set the category of the ticket to "Transfer".  These updates should include the specific steps taken to patch, update, or change the affected system.  Alternatively, a system administrator can disable, remove, or decommission the server or service that is causing the vulnerability.  Information Security staff will validate the information and perform a scan confirming that the vulnerability has been remediated.  Information Security staff, when satisfied, will mark the ticket as Resolved.

If a system administrator believes a vulnerability is a false positive, they should update the ticket's description with all pertinent information and data as to why the determinations of the vulnerability scanner are incorrect, and set the category of the ticket to "Transfer".  This may include documentation from the vendor and system diagnostic output.  Information Security staff will review this information soliciting input as needed, and may make the determination that the vulnerability is a false positive.  Information Security staff, when satisfied, will mark the ticket as Resolved.

If a system administrator desires to mitigate a vulnerability using compensating controls, they should update the ticket's description with the technical and business reasons as to why the vulnerability cannot be normally remediated within 30 days for a critical level vulnerability, or 90 days for a high level vulnerability.  Information Security staff will review this request and work with the system administrator to develop compensating controls to limit the scope and impact of the vulnerability.  These compensating controls may include additional system configurations, firewall rules, or system redesign.  Information Security staff, when satisfied, will mark the ticket as Resolved.  An additional Tech Solutions ticket will be created for the system administrator to address the greater vulnerability issue in a longer timeframe.

A system administrator can recommend that senior management accept all risk associated with a specific vulnerability in the rare case that no remediation or mitigation of the vulnerability is possible.  The system administrator must prove to both Information Security staff and the Chief Information Officer that remediation or mitigation of the vulnerability would either be impossible, or would come at a cost greater than any benefit to the University.  The ticket will be updated with information and results pertaining to the findings of the system administrator, Information Security staff, and the Chief Information Officer.  If senior management decides to not accept the risk for a specific vulnerability, the system administrator will work with the Information Security staff to identify other options to address the vulnerability.  Information Security staff, when satisfied, will mark the ticket as Resolved.

Justifications for both false positives and compensating controls will be re-evaluated every six months.  Periodic review of accepted vulnerabilities by senior management will also occur every six months.

Vulnerabilities that have been identified either as false positives, have been mitigated against using compensating controls, or have been accepted by senior management, will not have additional Tech Solutions tickets created for them in subsequent monthly scans.

System administrators should work to have their tickets addressed within 30 days of creation for critical level vulnerabilities, and within 90 days for high level vulnerabilities. Members of the "CIT – Information Security" group in Tech Solutions will review all responses and will mark tickets as Resolved.  Senior management will review tickets that remain open after their respective deadlines.

If the published deadlines for addressing vulnerabilities are not met, unresolved items will be escalated to the system administrator's direct management, as well as C&IT senior management, including the Chief Information Officer (CIO).  For systems not under control by Computing & Information Technology, unresolved items will additionally be escalated to the appropriate School/College/Division head of the affected system.  Consequences for unresolved items may include removal of network access of the affected system.

Any questions regarding the capabilities or operation of the network vulnerability scanner, or these vulnerability management standards, should contact a member of the Information Security staff.