Information Security: Threat and Vulnerability Management Standard

1. Purpose of Procedure

2. Responsible UW System Officer

3. Definitions

•  IT Asset
• IT Asset Owner
• Patch Management
• Penetration Testing
• Vulnerability Management
• Vulnerability Scanning

4. Procedures

A. Standards

I. Vulnerability Management

1. Vulnerability Identification and Risk Evaluation
   1. Identify and document discovered vulnerabilities using the most current version of the Common Vulnerability Scoring System (CVSS), alongside other relevant contextual factors such as known exploits, asset exposure, business criticality, and threat intelligence.
   2. Classify and prioritize vulnerabilities based on overall risk, including consideration of asset classification, likelihood of exploitation, and potential operational impact.
2. Remediation Prioritization, Timelines, and Validation
   1. Develop and implement remediation plans starting with vulnerabilities posing the highest risk to the organization, especially those affecting critical or high-value systems.
   2. The following default factors and timelines shall serve as a baseline for remediation. Adjustments may be made when additional factors justify reprioritization. Any deviations must follow the exception process described in subsection 4.A.I.2.f:
      1. Critical Risk Vulnerabilities – typically include those with a combination of high-impact factors, such as known exploits, internet exposure, or a CVSS ≥9.0. Remediate within 3 calendar days.
      2. High Risk Vulnerabilities – typically include vulnerabilities with a CVSS score of 7.0 – 8.9, internal systems with elevated privileges, or other factors that suggest elevated but not urgent risk. Remediate within 30 days.
      3. Medium Risk Vulnerabilities – generally include vulnerabilities with a CVSS score of 4.0 – 6.9 or those with a moderate potential for impact or exploitation. Remediate within 180 days.
      4. Low Risk Vulnerabilities – may include vulnerabilities with a CVSS score < 4.0, limited exposure, or minimal operational impact. Remediate within 365 days or as part of normal maintenance cycles.
   3. Remediation timelines begin upon initial time of detection and upon the availability of a vendor patch or a viable mitigation.
   4. Where possible, compensating controls should be implemented until full remediation can occur.
   5. Verify that remediation actions are effective through follow-up scanning or manual validation, as appropriate.
   6. Exceptions to the default remediation timelines must be documented, risk-justified, and approved through the university’s risk acceptance or exception management process. Exceptions should include a defined rationale, compensating controls (if applicable), and a review timeline not to exceed one year.

II. Vulnerability Scanning

The following activities must be included as part of a comprehensive scanning process:

1. Identify and define all university-owned or leased IT assets that are in scope for scanning, with particular attention to those processing, storing, or transmitting High-Risk data.
2. Define appropriate scan windows based on operational requirements and asset availability.
3. Scanning frequency must be aligned with asset risk profiles, business impact, and threat exposure. At a minimum:
   1. All IT assets that store, process, or transmit High-Risk data must be scanned at least monthly.
   2. All other IT assets must be scanned at least quarterly.
4. Perform ad-hoc scans in response to significant environment changes, such as new systems deployments, major configuration changes, or emerging threats.

• Systems housing sensitive or High-Risk data
• Critical infrastructure or enterprise applications
• Systems with complex configurations or legacy components

III. Patch Management

1. Continuously monitor for available patches and security updates from vendors and trusted sources.
2. Prioritizing patch deployment based on the risk level of the vulnerability, the criticality of the asset, and likelihood of exploitation.
3. Applying patches within timeframes that reflect the asset’s business criticality and severity of the vulnerability.
4. Coordination of a patch window with appropriate stakeholders.
5. Generation of patch management reports.
6. Validation of the appropriate application of patches.

IV. Penetration testing

1. Penetration testing of University owned, or leased, IT assets, should be done on an annual basis.
2. Penetration testing should consist of network and application layer penetration tests.
3. Specific third-party penetration testing requirements, such as PCI-DSS, must be adhered to as appropriate.

V. Threat Intelligence

1. Identification of threat intelligence feeds relevant to campus.
2. Analysis of threat intelligence, and identification and sharing of potential threats with campus leadership, IT staff, and other universities, as appropriate.
3. Subscription to and utilization of threat intelligence reports.

5. Related Documents

6. History