Vulnerability and Patch Management Standard
Overview
Patching and vulnerability remediation are critical tasks in ensuring the proper and secure function of IT systems and services. Failure to timely patch or remediate known vulnerabilities can lead to degradation of system performance, system failure, or loss of confidentiality, integrity, and/or availability of the system or data stored therein. Patching and vulnerability management must consider the function of the system or service in question, the urgency of any available patches, the risk of any known vulnerabilities, and the impact of any downtime patching or vulnerability remediation might have on service availability.
The purpose of this standard is to communicate expectations and requirements related to patch and vulnerability management throughout the UA System, including roles and responsibilities, remediation schedules, enforcement, and penalties for non-compliance, etc.
Scope
Information Security and Assurance (ISA) Standards are mandatory and apply to the
UA System and all users of UA computing resources. This standard supplements and
supports Board of Regents Policy & Regulation R02.07. These standards are reviewed and approved by the CIO Management Team (CMT), a system-wide
governance group consisting of each university CIO, the System CITO, and the System
CISO. Business units maintaining their own security standards should utilize this
standard as a baseline and may add additional requirements or detail as appropriate
for their business needs, however, may not weaken any individual element of this standard
without an approved Information Security Controls Exception.
This standard is periodically reviewed and updated to respond to emerging threats, changes in legal and regulatory requirements,
and technological advances.
Definitions
BYOD
“Bring Your Own Device” is a practice that allows users to use their personal devices, such as smartphones, laptops, or tablets, to access certain areas of an organization's network, systems, and data.
CVSS
The Common Vulnerability Scoring System (CVSS) is a NIST vulnerability rating method used to supply a qualitative measure of severity.
Patch
An update or fix released by software developers to address security vulnerabilities, bugs, or performance issues in a program or system.
Vulnerability
A weakness or flaw in a system, software, or network that can be exploited by attackers to compromise its security.
Standard
The UA Office of Information Technology (OIT)’s Information Security and Assurance (ISA) team will provide and administer an enterprise vulnerability management platform, which is operated by the Security Operations team. This platform can be used to scan any network-connected asset within UA to detect potential misconfigurations or vulnerabilities. Per R02.07.070, “Administrative Responsibilities,” ISA is authorized to scan any device connected to UA’s networks.
Roles
Chief Information Security Officer (CISO)
Acts as the Security/Risk Manager for UA’s Vulnerability Management Program.
Security Operations
The division of ISA directly responsible for operation and management of UA’s enterprise vulnerability assessment tools.
System Owners/Managers
The IT teams/individuals responsible for system patching and maintenance for the affected system(s).
University IT Units
The technical teams central to each university that control workstation and server configuration.
Unit Heads/CIOs
University leaders who can accept risk for their business units or universities.
Responsibilities
RACI Key:
| Responsible | Accountable | Consulted | Informed |
|
|
Security Operations |
System Owners, |
University IT Units |
CISO |
Business Units / CIOs |
|
Define standards and processes |
A |
I | I | R | C |
|
Deploy assessment agents |
I | C | R | A | C |
|
Operate assessment scans |
R | I | C | A | - |
|
Remediate according to standards policy |
C | R | - | I | A |
|
Approve exceptions when required |
C | A | I | C | R |
|
Apply mitigation measures when required |
C | R | C | I | A |
|
Oversee performance and results of program |
A | C | I | R | I |
System owners or managers are responsible for the timely patching (see Vulnerability Management, below) and remediation of vulnerabilities on the systems they are responsible for, and for informing ISA if any system or service under their control cannot be included in routine vulnerability scanning (via the Information Security Controls Exception process). While ISA can assist with vulnerability scanning, system owners or managers are ultimately responsible for identifying and remediating any vulnerabilities in their systems. Except where explicitly defined in this document, the timing and cadence of these activities is left to the system owner or manager’s discretion. System owners or managers who deviate from industry best practices or vendor recommendations should have a documented justification for doing so, including a risk assessment.
Users of UA-owned network-connected devices should make no attempt to interrupt or stop patching or vulnerability management of those devices. Users connecting personally owned devices (aka “BYOD”) to the UA network (including wired, wireless, or VPN) are responsible for ensuring their devices are properly patched and free of malware or configuration issues which could adversely impact the UA network.
Patch Management
UA-owned devices that are centrally managed should receive patches at an approved cadence, typically monthly or bi-weekly, via the central IT services at each university. The frequency of patching for other systems is left to the discretion of the system owner or manager. It is expected that wherever possible, patching will be configured to automatically download and install no less than 30 days after the release of the patch. Exceptions are permissible where unique business needs exist; the UA Information Security Controls Exception procedure shall be followed in these instances. Patch cadence is secondary to vulnerability remediation – in situations where a critical vulnerability has been identified, patching is expected to occur pursuant to the vulnerability remediation schedule outlined in Vulnerability Management below.
Vulnerability Management
ISA will make reasonable efforts to identify and assess network-connected devices for vulnerabilities and in some cases potential misconfigurations that can adversely affect the security or integrity of the system. When such vulnerabilities are detected, ISA will attempt to identify and inform the appropriate system owner or manager, or where no clear identification is possible, will identify the responsible university’s central IT organization.
When vulnerabilities are detected, it is expected that they will be remediated according to the schedule below. If a system owner or manager believes the detection to be a false positive, the responsible party can 1) request a re-scan, 2) complete their own re-scan, or 3) open a ticket to have the results “muted” for a period not to exceed six months.
Vulnerabilities will typically be categorized into one of four levels – critical, high, moderate, or low.
- Critical vulnerabilities are those that can result in complete systems failure or widespread loss of integrity
or confidentiality of the system or data contained on it and can often be leveraged
with minimal effort or skill. As such, critical vulnerabilities are expected to be
promptly remediated within 72 hours of detection. They may be identified by name
in a report or alert or may have a Common Vulnerability Scoring System (CVSS) score of 8.0 or higher.
- High risk vulnerabilities are those that can result in significant impacts to a system with relatively limited
effort or knowledge. These vulnerabilities may be identified by name or have a CVSS
score of 6.0-7.9. High risk vulnerabilities are expected to be remediated within
7 days of detection.
- Moderate risk vulnerabilities are those that with moderate effort and/or knowledge could result in negative impact
to a system or service. These may be identified by name or have a CVSS score of
4.0-5.9. Moderate risk vulnerabilities are expected to be remediated within 30 days
of detection.
- Low risk vulnerabilities have a low probability of impacting system or service availability or integrity or of adversely impacting the confidentiality of data stored therein. Low risk vulnerabilities have a CVSS score of less than 4.0 and should be remediated within 90 days of detection.
|
Workstation Patching |
Public Data |
Internal Data |
Sensitive or |
|
Critical (CVSS 9.0+) |
14 days | 7 days | 3 days |
|
High (CVSS 7.0-8.9) |
30 days | 14 days | 7 days |
|
Moderate (CVSS 4.0-6.9) |
60 days | 30 days | 14 days |
|
Low (CVSS <4) |
90 days | 30 days | 14 days |
|
Server Patching |
Public Data |
Internal Data |
Sensitive or |
|
All Severities |
30 days | 14 days | 5 days |
|
Application Patching |
Public Data |
Internal Data |
Sensitive or |
|
All Severities |
90 days | 45 days | 7 days |
Requests for exceptions to the remediation schedule above should be submitted to the appropriate university IT department for risk assessment. IT departments are encouraged to consult with ISA where any concern might exist and must inform ISA of approved exceptions so that future vulnerability scanning and reporting will correctly report approved exceptions.
Violations and Exceptions
Per Board of Regents Policy & Regulation R02.07.060 violations of this Standard:
- may result in a reduction or loss of access privileges, or the imposition of other restrictions or conditions on access privileges;
- may subject employees to disciplinary action, up to and including termination;
- may subject students to disciplinary action including expulsion according to the Student Code of Conduct procedures; and
- may also subject violators to criminal prosecution.
Requesting an Exception
The process for requesting exceptions to this or other IT Security Standard are outlined in the Information Security Controls Standard.
Implementation
OIT Information Security and Assurance is responsible for the implementation, maintenance and interpretation of this IT Standard.
Related Standards
Minimum Security Standards (upcoming)
Information Security Controls Standard
References
This document is intended to align with the National Institute of Standards and Technology (NIST) Special Publication 800-171 (revision 3) and specifically controls:
Configuration Management (CM) 3.4
CM-7: Information System Maintenance
3.4.02 a: Establish, document, and implement the following configuration settings for the system that reflect the most restrictive mode consistent with operational requirements.
System and Information Integrity (SI) 3.14
3.14.01
-
Identify, report, and correct system flaws.
-
Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates.
3.14.2 b: Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures.
3.14.03
-
Receive system security alerts, advisories, and directives from external organizations on an ongoing basis.
-
Generate and disseminate internal system security alerts, advisories, and directives, as necessary.
3.11.02 Vulnerability Monitoring and Scanning
-
Monitor and scan the system for vulnerabilities [organization-defined frequency] and when new vulnerabilities affecting the system are identified.
-
Remediate system vulnerabilities within [organization-defined response] times.
-
Update system vulnerabilities to be scanned [organization-defined frequency] and when new vulnerabilities are identified and reported.
Lifecycle and Contacts
Standard Owner: OIT Information Security and Assurance
Standard Contact: Chief Information Security Officer
Phone: 907-474-5347
Email: ua-ciso@alaska.edu
Approved: November 2024
Effective: November 2024
Next Review: November 2026