Vulnerability and Patch Management Standard

Overview

Patching and vulnerability remediation are critical tasks in ensuring the proper and secure function of IT systems and services.  Failure to timely patch or remediate known vulnerabilities can lead to degradation of system performance, system failure, or loss of confidentiality, integrity, and/or availability of the system or data stored therein.  Patching and vulnerability management must consider the function of the system or service in question, the urgency of any available patches, the risk of any known vulnerabilities, and the impact of any downtime patching or vulnerability remediation might have on service availability.

The purpose of this standard is to communicate expectations and requirements related to patch and vulnerability management throughout the UA System, including roles and responsibilities, remediation schedules, enforcement, and penalties for non-compliance, etc.


Scope

Information Security and Assurance (ISA) Standards are mandatory and apply to the UA System and all users of UA computing resources.  This standard supplements and supports Board of Regents Policy & Regulation R02.07. These standards are reviewed and approved by the CIO Management Team (CMT), a system-wide governance group consisting of each 猫咪社区官网 CIO, the System CITO, and the System CISO.  Business units maintaining their own security standards should utilize this standard as a baseline and may add additional requirements or detail as appropriate for their business needs, however, may not weaken any individual element of this standard without an approved Information Security Controls Exception.

This standard is periodically reviewed and updated to respond to emerging threats, changes in legal and regulatory requirements, and technological advances.


Definitions

BYOD

鈥淏ring Your Own Device鈥 is a practice that allows users to use their personal devices, such as smartphones, laptops, or tablets, to access certain areas of an organization's network, systems, and data.

 

CVSS

The is a NIST vulnerability rating method used to supply a qualitative measure of severity.

 

Patch

An update or fix released by software developers to address security vulnerabilities, bugs, or performance issues in a program or system.

 

Vulnerability

A weakness or flaw in a system, software, or network that can be exploited by attackers to compromise its security.


Standard

The UA Office of Information Technology (OIT)鈥檚 Information Security and Assurance (ISA) team will provide and administer an enterprise vulnerability management platform, which is operated by the Security Operations team.  This platform can be used to scan any network-connected asset within UA to detect potential misconfigurations or vulnerabilities.  Per R02.07.070, 鈥淎dministrative Responsibilities,鈥 ISA is authorized to scan any device connected to UA鈥檚 networks.

Roles

Chief Information Security Officer (CISO)

Acts as the Security/Risk Manager for UA鈥檚 Vulnerability Management Program. 

 

Security Operations

The division of ISA directly responsible for operation and management of UA鈥檚 enterprise vulnerability assessment tools.

 

System Owners/Managers

The IT teams/individuals responsible for system patching and maintenance for the affected system(s).

 

University IT Units

The technical teams central to each 猫咪社区官网 that control workstation and server configuration. 

 

Unit Heads/CIOs

University leaders who can accept risk for their business units or universities.

 


Responsibilities

RACI Key:

Responsible Accountable Consulted Informed

 

 

Security Operations

 System Owners,
Managers

 University IT Units

CISO

Business Units / CIOs

Define standards and processes

A

I I R C

Deploy assessment agents

I C R A C

Operate assessment scans

R I C A -

Remediate according to standards policy

C R - I A

Approve exceptions when required

C A I C R

Apply mitigation measures when required

C R C I A

Oversee performance and results of program

A C I R I

 

System owners or managers are responsible for the timely patching (see , below)  and remediation of vulnerabilities on the systems they are responsible for, and for informing ISA if any system or service under their control cannot be included in routine vulnerability scanning (via the Information Security Controls Exception process).  While ISA can assist with vulnerability scanning, system owners or managers are ultimately responsible for identifying and remediating any vulnerabilities in their systems.  Except where explicitly defined in this document, the timing and cadence of these activities is left to the system owner or manager鈥檚 discretion.  System owners or managers who deviate from industry best practices or vendor recommendations should have a documented justification for doing so, including a risk assessment.

Users of UA-owned network-connected devices should make no attempt to interrupt or stop patching or vulnerability management of those devices.  Users connecting personally owned devices (aka 鈥淏YOD鈥) to the UA network (including wired, wireless, or VPN) are responsible for ensuring their devices are properly patched and free of malware or configuration issues which could adversely impact the UA network.

 


Patch Management

UA-owned devices that are centrally managed should receive patches at an approved cadence, typically monthly or bi-weekly, via the central IT services at each 猫咪社区官网.  The frequency of patching for other systems is left to the discretion of the system owner or manager.  It is expected that wherever possible, patching will be configured to automatically download and install no less than 30 days after the release of the patch.  Exceptions are permissible where unique business needs exist; the UA Information Security Controls Exception procedure shall be followed in these instances.  Patch cadence is secondary to vulnerability remediation 鈥 in situations where a critical vulnerability has been identified, patching is expected to occur pursuant to the vulnerability remediation schedule outlined in below.


Vulnerability Management

ISA will make reasonable efforts to identify and assess network-connected devices for vulnerabilities and in some cases potential misconfigurations that can adversely affect the security or integrity of the system.  When such vulnerabilities are detected, ISA will attempt to identify and inform the appropriate system owner or manager, or where no clear identification is possible, will identify the responsible 猫咪社区官网鈥檚 central IT organization.

When vulnerabilities are detected, it is expected that they will be remediated according to the schedule below.  If a system owner or manager believes the detection to be a false positive, the responsible party can 1) request a re-scan, 2) complete their own re-scan, or 3) open a ticket to have the results 鈥渕uted鈥 for a period not to exceed six months.

Vulnerabilities will typically be categorized into one of four levels 鈥 critical, high, moderate, or low.

  • Critical vulnerabilities are those that can result in complete systems failure or widespread loss of integrity or confidentiality of the system or data contained on it and can often be leveraged with minimal effort or skill.  As such, critical vulnerabilities are expected to be promptly remediated within 72 hours of detection.  They may be identified by name in a report or alert or may have a score of 8.0 or higher.

  • High risk vulnerabilities are those that can result in significant impacts to a system with relatively limited effort or knowledge.  These vulnerabilities may be identified by name or have a CVSS score of 6.0-7.9.  High risk vulnerabilities are expected to be remediated within 7 days of detection.

  • Moderate risk vulnerabilities are those that with moderate effort and/or knowledge could result in negative impact to a system or service.  These may be identified by name or  have a CVSS score of 4.0-5.9.  Moderate risk vulnerabilities are expected to be remediated within 30 days of detection.

  • Low risk vulnerabilities have a low probability of impacting system or service availability or integrity or of adversely impacting the confidentiality of data stored therein.  Low risk vulnerabilities have a CVSS score of less than 4.0 and should be remediated within 90 days of detection.

Workstation Patching

Public Data

Internal Data

Sensitive or
Regulated Data

Critical (CVSS 9.0+)

14 days 7 days 3 days

High (CVSS 7.0-8.9)

30 days 14 days 7 days

Moderate (CVSS 4.0-6.9)

60 days 30 days 14 days

Low (CVSS <4)

90 days 30 days 14 days

 

Server Patching

Public Data

Internal Data

Sensitive or
Regulated Data

All Severities

30 days 14 days 5 days

 

 

Application Patching

Public Data

Internal Data

Sensitive or
Regulated Data

All Severities

90 days 45 days 7 days

 

Requests for exceptions to the remediation schedule above should be submitted to the appropriate 猫咪社区官网 IT department for risk assessment.  IT departments are encouraged to consult with ISA where any concern might exist and must inform ISA of approved exceptions so that future vulnerability scanning and reporting will correctly report approved exceptions.


Violations and Exceptions

Per Board of Regents Policy & Regulation R02.07.060  violations of this Standard: 

  • may result in a reduction or loss of access privileges, or the imposition of other restrictions or conditions on access privileges;
  • may subject employees to disciplinary action, up to and including termination; 
  • may subject students to disciplinary action including expulsion according to the Student Code of Conduct procedures; and 
  • may also subject violators to criminal prosecution. 
Requesting an Exception

The process for requesting exceptions to this or other IT Security Standard are outlined in the Information Security Controls Standard.

 


Implementation

OIT Information Security and Assurance is responsible for the implementation, maintenance and interpretation of this IT Standard.

Related Standards

Minimum Security Standards (upcoming)

Information Security Controls Standard


References

This document is intended to align with the and specifically controls:

CM-7: Information System Maintenance

3.4.02 a: Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements.

3.14.01

  1. Identify, report, and correct system flaws.

  2. Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.

3.14.2 b: Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures.

3.14.03

  1. Receive system security alerts, advisories, and directives from external organizations on an ongoing basis.

  2. Generate and disseminate internal system security alerts, advisories, and directives, as necessary.

3.11.02 Vulnerability Monitoring and Scanning

  1. Monitor and scan the system for vulnerabilities [organization-defined frequency] and when new vulnerabilities affecting the system are identified.

  2. Remediate system vulnerabilities within [organization-defined response] times.

  3. Update system vulnerabilities to be scanned [organization-defined frequency] and when new vulnerabilities are identified and reported.


Lifecycle and Contacts

Standard Owner: OIT Information Security and Assurance

Standard Contact: Chief Information Security Officer

Phone: 907-474-5347

Email: ua-ciso@alaska.edu

Approved: November 2024

Effective: November 2024

Next Review: November 2026