Policy Approval Authority | President |
Responsible Division | Division of Information Technology |
Responsible University Office | Office of Information Security (OIS) |
Responsible Officer(s) | Director of Information Security |
Contact Person | Bob Barton |
Primary Audience |
Faculty
Staff Student |
Status | Active |
Adoption Date | 09-01-2020 |
Last Review Date | 07-15-2022 |
Policy Category/Categories |
Information Technology
|
This document establishes the Vulnerability and Patch Management Policy for Northern Illinois University (NIU). This policy defines requirements for the management of information security vulnerabilities on any device that comprises or connects to Northern Illinois University information systems, communication resources, or networks; collectively known as NIU-N.
All users and system administrators of NIU-N Resources.
All things that comprise or connect to NIU-N.
All users who are conducting NIU business using external networks.
Mitigate: Minimize the possibility and impact of exploitation of a vulnerability that cannot be fully eliminated.
Patch or Update: To apply vendor supplied software updates or configuration guidance.
Remediate: Remediation occurs when the threat can be eliminated.
Risk Rating: Can be qualitative or quantitative but is a single value that indicates a combination of both the likelihood and impact of the exploitation of a given vulnerability. The higher the risk rating of a vulnerability, the more aggressive the timeframe must be to remediate or mitigate the vulnerability.
Scan: Any procedure used to detect or identify something participating on the network, or some feature in a system
Vulnerability: Any weakness in a system or process that leaves information security exposed to a threat.
Known vulnerabilities present a clear risk to the confidentiality, integrity and availability to NIU data, information systems, and things that comprise and connect to NIU-N. That risk must be identified, communicated and managed to the level acceptable to NIU. This policy defines the authorization, requirements and responsibilities for managing those information security vulnerabilities according to risk levels and associated remediation time frames.
The following schedule defines vulnerability risk levels and associated remediation time frames.
In any case where classifications may conflict, the NIU Vulnerability Priority Rating generally takes precedence.
Risk Level: Critical
Remediation Timeframe: Within 72 hours
Classification:
Risk Level: High
Remediation Timeframe: Within 7 days
Classification:
Risk Level: Medium
Remediation Timeframe: Within 14 days
Classification:
Risk Level: Low
Remediation Timeframe: Within 30 days
Classification:
NIU OIS, is authorized to scan all things that connect to NIU-N. OIS can and will delegate authorization to perform limited scans based on an approval process.
All things that permanently connect to NIU-N are required to be scanned on a regular basis. Limited exceptions can be made through an approval process. All things that temporarily connected to NIU-N may be scanned at any time.
All things that comprise or connect to NIU-N must apply security updates to all code that resides on it, based on the vulnerability risk and remediation schedule. If a security update does not exist to remediate the vulnerability within the associated timeframe, additional mitigating controls must be implemented to reduce the risk to an acceptable level.
If for any reason, patches or mitigating controls cannot be deployed within the remediation timeframe, the responsible system owner/administrator has the responsibility to submit a patch deferment request within one day of notification of vulnerability.
Only the University Chief Information Officer (CIO) upon advice from the University Chief Information Security Officer (CISO) can evaluate the risks presented by non-compliant computing systems and will determine the actions required to address them.
NIU OIS is authorized to limit network access to anything or anyone connected to or using NIU-N, in any case where University resources are actively threatened, or fail to comply with this policy. NIU OIS will act in the best interest of the University by securing the resources in a manner consistent with the Information Security Incident Response Plan and minimization of threats to information systems.
If it is suspected that this policy is not being followed, anyone may report the lack of compliance to the Division of IT Office of Information security by sending an email to abuse@niu.edu.
Policy Library
815-753-5560
policy-library@niu.edu
Comments
There are no comments to show.