Vulnerability Management
Definition
AÌývulnerabilityÌýis a security weakness that can be exploited.ÌýVulnerability managementÌýis a process by which an organization identifies, classifies, prioritizes, and remediates vulnerabilities. The ¼ªÏé·» Information Security (IS) team performs vulnerability scans on ¼ªÏ鷻’s servers and websites so the owners are made aware of any critical vulnerabilities that need to be remediated in a timely manner.
Website/Server Owner Responsibility
The website or server owners do not run the vulnerability scan. The owners are responsible for informing and requesting a vulnerability scan from the IS team when a new website or server is in process of deployment. Most importantly, the owners are responsible for patching and remediating any outstanding vulnerabilities.
Once the website or server is patched, the owner must request another scan to the IS team to ensure that the patches were appropriately installed. The website or server must not have anyÌýUrgent, Critical, or HighÌývulnerabilities in order to be approved.
Owners are responsible for maintaining operating systems up to date with ¼ªÏé·»ÌýSupported Operating Systems. Ìý
Information Security Responsibility
The IS team is responsible for running the scans, prioritizing the vulnerabilities, and providing scan report to the owners. The IS team monitors the compliance of the websites and servers, and may ask to remove the website or server from the network, if the vulnerabilities are not remediated in a timely manner.
When ¼ªÏé·» is notified of a critical patch released to fix a vulnerability, the Information Security Office will notify all affected owners of the necessity to implement the patch or remove the website/server from the network until the relevant patch is applied.
When to Scan?
Vulnerability scans must be performed:
- Monthly
- Before moving any new website, web application, or server into production. If your website is developed using ¼ªÏ鷻’s Web-One template and published in Web-One infrastructure, a vulnerability assessment is not required.
- Before moving any major upgrades and changes to the websites and servers in the production environment.
Vulnerability Management ProcessÌý
Request:ÌýCampus website and server owner will contact Information Security (IS) to perform a vulnerability scan by submitting a ticket to either Helpdesk or Information Security Dispatcher. Per CSU and ¼ªÏé·» policy, campus website and server owners must notify IS team of any major upgrade or change before migrating to the production. The IS team will need to run a vulnerability scan.
Scanning:ÌýThe IS team does not run a vulnerability scan without the express permission of the server or website owner. Owners must provide IS team credentials to run an authenticated scan. An authenticated scan performs a deep vulnerability scan instead of surface scan. Many critical vulnerabilities are not identified with the surface scan. The IS team will make an effort to pick a date and time that is convenient with the server or website owner to run the scan.
Reporting:ÌýUpon completion of the scan, the IS team will share a report with the findings for review and mitigation. The report is shared only with the server or website owner via my¼ªÏé·»box folder.
Mitigation:ÌýThe campus website and server owner must review the vulnerability scan report and remediate vulnerabilities in the timeframe listed below. If the website or server vulnerabilities are not addressed in the reference time below and continue to remain non-compliant, the website or server will be taken off the network.
Website and Web Applications
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XML External Entities (XXE)
- Broken Access Control
Servers
| Windows based OS | NIX based OS |
|---|---|
|
|
- Ìý Ìý