Vulnerability and Patch Management Policy
|Policy Approval Authority||President|
|Responsible Division||Division of Information Technology|
|Responsible University Office||Office of Information Security (OIS)|
|Responsible Officer(s)||Chief Information Officer and Chief Information Security Officer|
|Contact Person||Fred Williams|
|Proposed Adoption Date||09-01-2020|
|Effective Adoption Date||09-01-2020|
|Last Review Date||07-15-2022|
This document establishes the Vulnerability and Patch Management Policy for Northern Illinois University (NIU). This policy defines requirements for the management of information security vulnerabilities on any device that comprises or connects to Northern Illinois University information systems, communication resources, or networks; collectively known as NIU-N.
All users and system administrators of NIU-N Resources.
All things that comprise or connect to NIU-N.
All users who are conducting NIU business using external networks.
Mitigate: Minimize the possibility and impact of exploitation of a vulnerability that cannot be fully eliminated.
Patch or Update: To apply vendor supplied software updates or configuration guidance.
Remediate: Remediation occurs when the threat can be eliminated.
Risk Rating: Can be qualitative or quantitative but is a single value that indicates a combination of both the likelihood and impact of the exploitation of a given vulnerability. The higher the risk rating of a vulnerability, the more aggressive the timeframe must be to remediate or mitigate the vulnerability.
Scan: Any procedure used to detect or identify something participating on the network, or some feature in a system
Vulnerability: Any weakness in a system or process that leaves information security exposed to a threat.
Known vulnerabilities present a clear risk to the confidentiality, integrity and availability to NIU data, information systems, and things that comprise and connect to NIU-N. That risk must be identified, communicated and managed to the level acceptable to NIU. This policy defines the authorization, requirements and responsibilities for managing those information security vulnerabilities according to risk levels and associated remediation time frames.
Risk and Remediation
The following schedule defines vulnerability risk levels and associated remediation time frames.
In any case where classifications may conflict, the NIU Vulnerability Priority Rating generally takes precedence.
Risk Level: CRITICAL
Remediation Timeframe: Within 72 hours
- NIU Vulnerability Priority Rating 9.0 or greater
- CVSS Rating 8.0 or higher
- Vendor Rating “Critical” or equivalent
Risk Level: HIGH
Remediation Timeframe: Within 7 days
- NIU Vulnerability Priority Rating between 7.0 and 9.0
- CVSS Rating between 6.0 and 8.0
- Vendor Rating “High” or equivalent
Risk Level: MEDIUM
Remediation Timeframe: Within 14 days
- NIU Vulnerability Priority Rating between 4.0 and 7.0
- CVSS Rating between 4.0 and 6.0
- Vendor Rating “Medium” or equivalent
Risk Level: LOW
Remediation Timeframe: Within 30 days
- NIU Vulnerability Priority Rating 4.0 or less
- CVSS Rating 4.0 or less
- Vendor Rating “Low” or equivalent
NIU OIS, is authorized to scan all things that connect to NIU-N. OIS can and will delegate authorization to perform limited scans based on an approval process.
All things that permanently connect to NIU-N are required to be scanned on a regular basis. Limited exceptions can be made through an approval process. All things that temporarily connected to NIU-N may be scanned at any time.
Patching and Updating
All things that comprise or connect to NIU-N must apply security updates to all code that resides on it, based on the vulnerability risk and remediation schedule. If a security update does not exist to remediate the vulnerability within the associated timeframe, additional mitigating controls must be implemented to reduce the risk to an acceptable level.
Compliance and Responsibilities
If for any reason, patches or mitigating controls cannot be deployed within the remediation timeframe, the responsible system owner/administrator has the responsibility to submit a patch deferment request within one day of notification of vulnerability.
Only the University Chief Information Officer (CIO) upon advice from the University Chief Information Security Officer (CISO) can evaluate the risks presented by non-compliant computing systems and will determine the actions required to address them.
NIU OIS is authorized to limit network access to anything or anyone connected to or using NIU-N, in any case where University resources are actively threatened, or fail to comply with this policy. NIU OIS will act in the best interest of the University by securing the resources in a manner consistent with the Information Security Incident Response Plan and minimization of threats to information systems.
If it is suspected that this policy is not being followed, anyone may report the lack of compliance to the Division of IT Office of Information security by sending an email to email@example.com.
There are no comments to show.
- Policy Categories
- Board of Trustees
- Campus Safety / Security
- Ethics & Conduct
- Facilities / Real Estate
- Faculty & Academics
- Finance / Risk Management
- Governance / Administration
- Human Resources / Employment
- Information Technology
- Marketing & Communication
- Research Ethics / Intellectual Property
- Student Affairs
- Sponsored Funding/Grants and Contracts