Vulnerability and Patch Management Policy

Purpose

This document establishes the Vulnerability and Patch Management Policy for Northern Illinois University (NIU). This policy defines requirements for the management of information security vulnerabilities on any device that comprises or connects to Northern Illinois University information systems, communication resources, or networks; collectively known as NIU-N.

Scope

All users and system administrators of NIU-N Resources.

All things that comprise or connect to NIU-N.

All users who are conducting NIU business using external networks.

Definitions

Mitigate: Minimize the possibility and impact of exploitation of a vulnerability that cannot be fully eliminated.

Patch or Update: To apply vendor supplied software updates or configuration guidance.

Remediate: Remediation occurs when the threat can be eliminated.

Risk Rating: Can be qualitative or quantitative but is a single value that indicates a combination of both the likelihood and impact of the exploitation of a given vulnerability. The higher the risk rating of a vulnerability, the more aggressive the timeframe must be to remediate or mitigate the vulnerability.

Scan: Any procedure used to detect or identify something participating on the network, or some feature in a system

Vulnerability: Any weakness in a system or process that leaves information security exposed to a threat.

Policy

Known vulnerabilities present a clear risk to the confidentiality, integrity and availability to NIU data, information systems, and things that comprise and connect to NIU-N. That risk must be identified, communicated and managed to the level acceptable to NIU. This policy defines the authorization, requirements and responsibilities for managing those information security vulnerabilities according to risk levels and associated remediation time frames.

Risk and Remediation

The following schedule defines vulnerability risk levels and associated remediation time frames.

In any case where classifications may conflict, the NIU Vulnerability Priority Rating generally takes precedence.

Risk Level: Critical

Remediation Timeframe: Within 72 hours

Classification:

• NIU Vulnerability Priority Rating 9.0 or greater
• CVSS Rating 8.0 or higher
• Vendor Rating “Critical” or equivalent

Risk Level: High

Remediation Timeframe: Within 7 days

Classification:

• NIU Vulnerability Priority Rating between 7.0 and 9.0
• CVSS Rating between 6.0 and 8.0
• Vendor Rating “High” or equivalent

Risk Level: Medium

Remediation Timeframe: Within 14 days

Classification:

• NIU Vulnerability Priority Rating between 4.0 and 7.0
• CVSS Rating between 4.0 and 6.0
• Vendor Rating “Medium” or equivalent

Risk Level: Low

Remediation Timeframe: Within 30 days

Classification:

• NIU Vulnerability Priority Rating 4.0 or less
• CVSS Rating 4.0 or less
• Vendor Rating “Low” or equivalent

Scanning

NIU OIS, is authorized to scan all things that connect to NIU-N. OIS can and will delegate authorization to perform limited scans based on an approval process.

All things that permanently connect to NIU-N are required to be scanned on a regular basis. Limited exceptions can be made through an approval process. All things that temporarily connected to NIU-N may be scanned at any time.

Patching and Updating

All things that comprise or connect to NIU-N must apply security updates to all code that resides on it, based on the vulnerability risk and remediation schedule. If a security update does not exist to remediate the vulnerability within the associated timeframe, additional mitigating controls must be implemented to reduce the risk to an acceptable level.

Compliance and Responsibilities

If for any reason, patches or mitigating controls cannot be deployed within the remediation timeframe, the responsible system owner/administrator has the responsibility to submit a patch deferment request within one day of notification of vulnerability.

Only the University Chief Information Officer (CIO) upon advice from the University Chief Information Security Officer (CISO) can evaluate the risks presented by non-compliant computing systems and will determine the actions required to address them.

NIU OIS is authorized to limit network access to anything or anyone connected to or using NIU-N, in any case where University resources are actively threatened, or fail to comply with this policy. NIU OIS will act in the best interest of the University by securing the resources in a manner consistent with the Information Security Incident Response Plan and minimization of threats to information systems.

If it is suspected that this policy is not being followed, anyone may report the lack of compliance to the Division of IT Office of Information security by sending an email to abuse@niu.edu.