Original Issuance Date: April 14, 2021

Last Revision Date: March 2, 2022

Effective Date: April 1, 2022

1.     Purpose of Procedures

The purpose of this standard is to establish the minimum requirements for vulnerability management, vulnerability scanning, patch management, threat intelligence and penetration testing of University of Wisconsin (UW) System owned or leased information.

2.     Responsible UW System Officer

Associate Vice President (AVP) for Information Security

3.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

  • IT Asset Owner
  • Patch Management
  • Penetration Testing
  • Vulnerability Management
  • Vulnerability Scanning

4.     Procedures

A. Roles and Responsibilities

The following roles are responsible for discovery, assessment, remediation and validation of vulnerabilities. Specific responsibilities are outlined below:

  • Each UW Institution Information Security Officer, or their designee, is responsible for working with the IT asset owner to perform a vulnerability assessment of University owned, or leased, IT assets.
  • IT asset owners are responsible for ensuring that the associated assets are available for vulnerability scanning.
  • System Administrators are responsible for implementing remediation actions for detected vulnerabilities on University owned, or leased, IT assets.

B. Standards

I. Vulnerability Scanning

Each UW Institution must perform external vulnerability scanning, including the following related activities:

  • Identify IT assets in-scope, and their respective scan windows.
  • If necessary, configure and deploy scanning software components to the IT assets within scope.
  • Configure endpoints and network infrastructure within scope, to allow access for vulnerability scans.
  • Schedule and conduct regular periodic scans of IT assets in-scope.
  • Perform ad-hoc scanning when the environment has undergone changes that may affect the security posture.
  • Scanning frequency should be commensurate with the asset risk profile. At a minimum, all University owned, or leased, IT assets containing High-Risk data must be scanned monthly and all other University owned, or leased IT assets must be scanned quarterly.

When appropriate to gain maximum visibility into an IT asset, this should include authenticating internal scanning.

II. Vulnerability Management

  • Identify and document the discovered vulnerabilities with the most current version of the Common Vulnerability Scoring System (CVSS).
  • Create a remediation plan by prioritizing patching according to asset categorization or classification i.e. starting with the most critical vulnerabilities on the most important assets and then proceed to the less critical ones.
    • Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating exceeding 8.9 should be remediated as soon as possible and must be remediated within 3 days.
    • Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 7.0 – 8.9 must be remediated within 30 days.
    • Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating between 4.0 – 6.9 must be remediated within 180 days.
    • Vulnerabilities with a Common Vulnerability Scoring System (CVSS) rating lower than 4.0 should be addressed within 365 days during normal maintenance cycles.
  • Once a patch is available from the vendor, the timelines outlined above start.
  • Remediate vulnerabilities according to the plan.
  • Validate that the vulnerabilities are remediated by rescanning.
  • Vulnerabilities with CVSS rating exceeding 6.9 that will not be remediated, according to the above schedule, need to be identified and documented in accordance with UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance.

III. Patch Management

UW institutions are responsible for maintaining a documented patch management process for all University owned, or leased, IT assets, which must include the following, at a minimum:

  • Identification and prioritization of patches to be installed.
  • Mapping of IT asset to business criticality and risk.
  • Applying patches in a timeline consistent with business criticality and risk.
  • Coordination of a patch window with appropriate stakeholders.
  • Patching of systems and generation of patch management reports.
  • Validation of the appropriate application of patches.
  • Evaluation and testing of critical patches prior to deployment.
  • The patch management program should be automated to the extent possible.

IV. Penetration testing

  • Penetration testing of University owned, or leased, IT assets, should be done on an annual basis.
  • Penetration testing should consist of network and application layer penetration tests.
  • Specific third-party penetration testing requirements such as PCI-DSS must be adhered to as appropriate.

V. Threat Intelligence

Each UW Institution must conduct ongoing external routine threat intelligence gathering and sharing, which at a minimum includes:

  • Identification of threat intelligence feeds relevant to campus.
  • Analysis of threat intelligence, and identification and sharing of potential threats with campus leadership, IT staff as appropriate, and other UW institutions.
  • Subscription to and utilization of threat intelligence reports.

VI. documentation and Metrics

UW institutions are responsible for reporting vulnerability and patch management metrics, which include the following, at a minimum:

  • A list of patches to be applied with criticality rating of each.
  • Mean time to remediate.
  • Percentage of IT assets that were not remediated within required timeframes.
  • Any additional metric to measure patch and vulnerability management effectiveness.

5.     Related Documents

Appendix A- Vulnerability Identification, Patch Management Process and Vulnerability Ranking

Regent Policy Document 25-5, Information Technology: Information Security  

UW System Information Security Program 

UW System Administrative Policy 1039, Information Security: Risk Management

UW System Administrative Procedure 1039.A, Information Security: Risk Management Procedure

UW System Administrative Procedure 1039.B, Information Security: Notification of Risk Acceptance

UW System Administrative Policy 1042, Information Security: Threat and Vulnerability Management

6.     History

Revision 1: March 2, 2022

First approved: April 14, 2021