This standard applies to all Miami-owned computing devices.
Rationale
To provide a consistent method by which to identify and mitigate vulnerabilities in Miami’s computing infrastructure in order to decrease the overall risk profile of the University. Vulnerabilities that cannot be mitigated in a timely fashion need to be communicated so alternative mitigation strategies can be considered.
Standard
Vulnerability Scanning Schedule
The Information Security team will perform regular monthly scans of the wired networks for all non-residential networks on the Miami network. This schedule will be created with input from the technical staff responsible for computing devices on those portions of the network.
Communication of Vulnerability Scanning Results
The Information Security team will make the results of the vulnerability scans available to the responsible technical staff within seven days of the scans completion.
Vulnerability Reclassification
The Information Security team will identify any specific vulnerabilities that may be classified at an incorrect risk level for our environment. They will bring any such identified vulnerabilities to the Security Working Group for validation. Any vulnerabilities that are classified at a different risk level than what is provided by the scanning tool will be documented by the information security team, and will be reviewed by the Security Working Group on an annual basis to ensure that the reclassification is still appropriate.
Vulnerability Remediation
Vulnerabilities will be classified by the risk score, as outlined in the appendix. Any vulnerability identified as “high” must be remediated within 30 days of the initial notification. All other vulnerabilities should be considered for remediation by the responsible technical staff. "High" risk vulnerabilities that can be corrected by the technical staff within 30 days of the initial notification will be done so. Any "high" risk vulnerability that the technical staff does not correct within 30 days of the initial notification will be communicated by the responsible technical staff to the Information Security team. This communication will include a reason why the vulnerability won't be corrected within the 30 days. Examples of these reasons may include, but are not limited to the following:
- vulnerabilities that will be corrected but will take longer than 30 days
- vulnerabilities believed to be of minimal-risk, such as false positive results and computers administered by students as part of a class on system administration which contain no confidential information
- vulnerabilities believed to be of acceptable-risk, such as systems that have additional controls applied to limit the exposure of the vulnerability
The Information Security team will determine the level or risk posed by the "high" risk vulnerabilities that won't be corrected within 30 days of the initial notification. If the level of risk is not minimal or acceptable, the Information Security team will work with the responsible technical staff to determine alternative safeguards that can be applied to bring the risk to an acceptable level or require that the vulnerability be corrected. The alternative safeguards or corrections will be identified and applied within 30 days of the initial notification. Vulnerabilities that the Information Security team have deemed minimal or acceptable will be identified in the vulnerability scanning tool and re-examined by the Information Security team every 12 months to confirm that they are still minimal or acceptable levels of risk or if corrective action is required.
Consequences of non-compliance
If the Information Security team and the responsible technical staff are unable to come to consensus on how a vulnerability should be addressed, that information will be communicated to the Information Security Officer who will determine the appropriate action.
Exceptions
Any exceptions to this policy require approval from the Information Security Officer before they can be implemented. All exceptions will be reviewed every 12 months to ensure they are still appropriate and necessary.
Appendix
- Reclassified vulnerabilities: All reclassified vulnerabilities are stored in the OpenVAS vulnerability management tool
- “High” vulnerabilities: All vulnerabilities with a CVSS risk score greater than 7.0 are considered “high”
Standard Administration
Next Review Date
Responsible Officer
- Vice President for Information Technology & Chief Information Officer
Contact
- Assistant VP for IT Services Security, Compliance, and Risk Management
Approval(s) and Date(s)
- Initial Approval: 22 October 2015
- Most-recent Approval: 20 September 2016
- Most-recent Review: 10 June 2019