Vulnerability Management Policy

Owner: Chief Information Officer
Author: Chief Campus Information Security Officer
Contact information: servicedesk@css.edu
Effective Date: 01/01/2025
Next Review Date: 
Applicable Laws, regulations, compliance: FERPA, HIPAA, PCI DSS, GLBA, CISA
Vulnerability Management Best Practices, and NIST SP 800-40.

I. Purpose

This policy establishes a standardized approach for identifying, assessing, mitigating, and tracking vulnerabilities across the College’s IT systems. The approach ensures timely remediation, supports compliance with security regulations, and minimizes institutional data and operations risk.

II. Definitions

 

  • Vulnerability: A vulnerability is a weakness in a system that one could exploit to compromise security.
  • Deferred Vulnerability: A deferred vulnerability is one whose mitigation is postponed due to technical, operational, or other constraints.
  • Accepted Risk: An accepted risk refers to a vulnerability for which remediation is not planned, and the associated risk is formally accepted by leadership.
  • Vulnerability Severity: Vulnerability severity is the classification of vulnerabilities as Critical, High, Medium, or Low, based on their potential impact and exploitability.

III. Policy

  1. Identification and Assessment:
    1. Weekly vulnerability scans must be conducted to identify potential risks.
    2. Documentation must exist for vulnerabilities identified through penetration testing, external assessments, or user reports.
    3. All vulnerabilities will be categorized by severity (Critical, High, Medium, Low).
  2. Prioritization and Remediation:
    1. Critical Vulnerabilities: Must be addressed within three business days.
    2. High Vulnerabilities: Must be addressed within five business days (one business week).
    3. Medium Vulnerabilities: Must be addressed within 10 business days (two business weeks).
    4. Low Vulnerabilities: Must be addressed within 20 business days (four business weeks).
  3. Tracking and Reporting:
    1. All vulnerabilities must be reported within one business day of discovery logged in the College’s centralized ticketing system.
    2. The vulnerability tracking form will be used for the following:
      1. Logging newly discovered vulnerabilities to document their lifecycle, including decisions to mitigate, defer, or accept risks.
      2. Recording actions system administrators take, such as resolving a vulnerability or implementing compensating controls.
    3. System administrators must log any independently resolved vulnerabilities using the vulnerability tracking form. This ensures that all vulnerabilities, including those resolved without prior logging, are documented for oversight and reporting purposes.
    4. Weekly reports highlight progress, unresolved vulnerabilities, and deferred or accepted risks.
  4. Deferred or Accepted Risks:
    1. Deferred vulnerabilities must include a justification and reassessment date.
    2. Information security leadership must document and approve acceptable risks, including a rationale and compensating controls.
  5. Compliance with Applicable Laws:
    1. This policy supports FERPA, HIPAA, PCI DSS, and GLBA compliance by ensuring systematic vulnerability management practices that enhance the security of sensitive systems and data.

IV. Individuals and entities affected by this policy

This policy applies to all IT staff responsible for managing and maintaining the College’s IT systems, including the information security leadership, system administrators, and IT leadership.

V. Related documents, forms, and procedures

  • Other IT and IT Security policies

VI. History and updates


The College reserves the right to modify policies at any time, ensuring the involvement of relevant committees and constituents in the decision-making process (e.g., policy committee, faculty assembly, staff council, student government association, etc.)

Print Article