Information Security Standard - Vulnerability Remediation

 

Vulnerability Remediation

Objective - The timely remediation of vulnerabilities will reduce a system’s overall attack surface and corresponding likelihood of data exposure due to a compromise. This standard defines the required timeframe in which discovered or disclosed vulnerabilities shall be remediated. 

Primary Audience - System Owners and Administrators

Related Policy - University Regulations and Procedures 04.760- Information Security Risk Assessment

Non-compliance - Failure to comply with this standard will result in system isolation, including disconnection.

Owner (Status) - TWU Information Security Officer (Reviewed 5/17/2024)

 

Standard Definition 

IT Solutions has defined the following remediation timeframe to address discovered or disclosed vulnerabilities. The appropriate remediation timeframe is dependent on one or more factors expressing the nature of severity of criticality associated with the vulnerability. Vulnerabilities that are not remediated within the timeframe pose an increased risk to the university, and may result in actions in accordance with the related policy.

 

Severity, Criticality, or Risk Level1

 

Remediation Timeframe5   

TWU Vulnerability Severity Rating    

TWU Data Risk Levels  

CVSS Score3   

Enterprise Vulnerability Score4    

Low

Low

0.0-3.9

Low

Within 3 months

Medium

Moderate

4.0-6.9

Medium

Within 1 month

High

High

7.0-8.9

High

Within 2 weeks

Critical

High

9.0-10.0

High/Critical

Within 1 week

Remediation actions are unique to each instance of a vulnerability. In certain situations, the remediation action may be as simple as applying a vendor patch or fix to directly address the vulnerability. In other situations, access and availability may need to be restricted to the affected system or service, resulting in a degradation of performance. System owners are responsible for understanding the potential impact of a vulnerability to their system, and weighing the remediation actions against potential impact to business operations as well as confidentiality, integrity and availability.  

Example Scenarios

The recent monthly vulnerability scan for System ‘XYZ’ has identified three Critical and four Medium vulnerabilities. Based on the Vulnerability Remediation Standard, the System Owner must remediate the three Critical vulnerabilities within 1 week of discovery. The four Medium vulnerabilities must be remediated within 1 month of discovery. The discovery time is the date the monthly report is sent to the System Owner. Failure to remediate the vulnerabilities before the timeframes will result in disconnection or isolation of the affected system or service.

1 Remediation of vulnerabilities may be rank-ordered and prioritized based on available information. This chart provides for 4 different indicators of the priority/severity.

2 Based on Risk Level to be determined in accordance with URP 04.760 (RA-2 and RA-5).

3 Qualitative severity rating scale - https://www.first.org/cvss/specification-document. 

4 IT Solutions is currently evaluating alternative enterprise Vulnerability Management solutions to improve scalability, reporting and compliance. An ‘Enterprise Vulnerability Score’ takes into account environmental considerations, providing an additional level of risk context. 

5 Time frame relative to date of initial discovery or disclosure.