Continuous Vulnerability Management

Issue/Question

What is the USD security policy on Continuous Vulnerability Management

Environment

  • CIS Control 7

Cause

Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity 

Resolution

Continuous Vulnerability Management
 

Policy Statement: The University acknowledges the critical importance of continuously identifying, assessing, and mitigating vulnerabilities within its information systems to protect against security threats. This policy establishes guidelines for implementing continuous vulnerability management practices to enhance the security posture of the University's IT environment.

Policy Implementation:

  1. Vulnerability Scanning:

    • The University will conduct regular vulnerability scans of its network infrastructure, systems, and applications using automated scanning tools.
    • Vulnerability scanning activities will be scheduled at regular intervals and include comprehensive scans of all University assets.
    • Internal and external scans will be completed monthly
    • External attack surface monitoring will be used to access risk in an ongoing near real time manner.
  2. Patch Management:

    • The University will establish a patch management process to promptly apply security patches and updates to mitigate identified vulnerabilities.
    • Critical patches will be prioritized and applied in a timely manner to minimize the risk of exploitation by attackers.
    • Monthly OS and application patching will occur in an automated manner.
  3. Vulnerability Remediation:

    • Identified vulnerabilities will be remediated according to predefined risk prioritization criteria and timelines.
    • Remediation efforts may include applying patches, implementing compensating controls, or mitigating vulnerabilities through configuration changes.
  4. Vulnerability Tracking and Reporting:

    • Vulnerability scan results will be tracked, documented, and reported to relevant stakeholders, including IT management, system administrators, and security teams.
    • Reports will include details of identified vulnerabilities, severity ratings, and recommended remediation actions.
  5. Vulnerability Management Lifecycle:

    • The University will implement a structured vulnerability management lifecycle encompassing vulnerability identification, assessment, prioritization, remediation, and verification of remediation effectiveness.
    • The vulnerability management lifecycle will be documented and followed consistently across all University systems and assets.

Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in vulnerability management activities.

Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of continuous vulnerability management practices.


This policy provides a framework for implementing CIS Control 7 within a university environment, focusing on continuous vulnerability management practices to identify, assess, and mitigate security vulnerabilities proactively.

Please contact the Service Desk if you need further assistance