Vulnerability Management Guidelines

Body

Vulnerability Management Guidelines

Purpose

This document aims to establish the Vulnerability Management Guidelines for the University of Nevada, Las Vegas (UNLV). These guidelines serve as a framework for effectively managing information security vulnerabilities and their prompt remediation.

Summary

The Vulnerability Management Guidelines outline the essential guidelines for addressing information security vulnerabilities and ensuring timely resolution. This document is designed to enhance the University's overall security posture and protect sensitive information by defining the procedures and responsibilities related to vulnerability management and remediation.

Scope

These guidelines encompass all information systems and resources owned or operated by the UNLV or on its behalf. All individuals associated with the university, including but not limited to employees, students, contractors, and other parties granted access to university information or computer systems maintained on behalf of the university, are obligated to comply with the provisions of these guidelines.

Definitions

Actively Exploited: A vulnerability known to be exploited by malicious code or actors, which is supported by dependable and verified evidence. This evidence may include open-source reports, social media, and other news from trusted security vendors, government agencies, or researchers. This vulnerability is classified as a Special Case.

CISA (Cybersecurity and Infrastructure Security Agency): The operational lead for federal cybersecurity and the national coordinator for critical infrastructure security and resilience.

CISO (Chief Information Security Officer): A university employee primarily responsible for information security leadership and oversight.

Common Vulnerabilities and Exposures (CVE): A publicly accessible database catalogs recognized cybersecurity vulnerabilities in software, hardware, and other digital systems.

Common Vulnerability Scoring System (CVSS): A standardized framework for rating the severity of security vulnerabilities in software, facilitating the prioritization of remediation efforts based on the potential impact and exploitability of the vulnerabilities.

Compensating Controls: Security and privacy measures that are used when it's impractical to implement a recommended security control. The alternative control should provide equivalent or comparable protection and help mitigate the risk from the vulnerability.

Endpoint Detection and Response (EDR): A cybersecurity technology that continually monitors and responds to mitigate malicious activities on endpoints.

Information Resources: University information and associated assets, which include but are not limited to the following sections:

Hardware Assets, including:
- Data center services, database management, servers, workstations, classroom technologies, printers, scanners, and any other network equipment owned by the University.

Software Assets, including:
- Operating systems, applications, and other software and licenses via media, online methods, and license services. Includes both cloud-based and desktop software.

User Accounts and Access, including:
- User accounts associated with IT resources
- Guest accounts that have limited access to University Resources.

Information System: A significant application or a comprehensive support structure utilized for managing university information, consisting of interconnected subsystems usually managed by the same authority. These subsystems share functions and security requirements and are typically in the same operational environment.

Information System Owner: An individual or a designated unit that holds accountability for the comprehensive spectrum of activities associated with an Information System.

Information Security Office (ISO): This department is responsible for developing and distributing information security policies, standards, and guidelines for the university community. They play a pivotal role in protecting the university's information security by creating and disseminating key directives to ensure the integrity and security of university information.

Special Case: Vulnerabilities that exceed routine risk thresholds due to active exploitation, credible near-term threats, or significant business impact and require expedited triage, rapid mitigation, and escalation if action is not taken in a timely manner. Special cases include, but are not limited to, listings from CISA’s Known Exploited Vulnerabilities (KEV), zero-day vulnerabilities, and supply chain compromises.

Security Information and Event Management (SIEM): A solution aggregating and analyzing activity from many different resources across your IT infrastructure.

Unit: A college, department, school, program, research center, business service center, or other operating group of the University.

University Information: Any communication or representation of knowledge, such as facts, data, or opinions, recorded in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual, owned or controlled by or on behalf of the university.

University-Related Persons: University students and applicants for admission, university employees and applicants for employment, Designated Campus Colleagues (DCCs), alums, retirees, temporary employees of agencies who are assigned to work for the university, and third-party contractors engaged by the university and their agents and employees.

Vulnerability: A weakness or gap in a security program that threats can exploit to gain unauthorized access to an asset.

Vulnerability Management: A continuous process to protect information resources from cyberattacks and data breaches.

Vulnerability Management Tools: Software used by the ISO to assess assets, compile vulnerability reports, and ensure compliance. Automated updates provide current risk and remediation information. In addition, EDR tool(s) offer real-time monitoring and response, while SIEM tool(s) analyze network traffic for security and incident investigation.

Zero Day: An attack that exploits a previously unknown hardware, firmware, or software vulnerability being used to compromise systems or networks. These vulnerabilities have been publicly disclosed before a remediation is available, posing an imminent risk of exploitation. This vulnerability would be classified as a Special Case.

Compliance

Tracking, Measuring, and Reporting

The ISO must develop, test, review, maintain, and communicate a representation of the UNLV security posture to university leadership. The ISO is authorized to initiate mechanisms to track the effective implementation of information security controls associated with these guidelines and to produce reports measuring individual or unit compliance to support university decision-making.

Governing Laws, Frameworks, and Regulations

UNLV adheres to several government and industry frameworks and regulations related to vulnerability management standards, including but not limited to:

Cybersecurity and Infrastructure Security Agency (CISA)
Family Educational Rights and Privacy Act (FERPA)
Federal Information Security Modernization Act (FISMA)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST)
Payment Card Industry Data Security Standards (PCI DSS)
Sarbanes-Oxley Act (SOX)

Recourse for Noncompliance

The ISO is authorized to limit network access for individuals or units not in compliance with all information security policies and related procedures. In cases where university resources are actively threatened, the CISO must act in the university's best interest by securing the resources in a manner consistent with the Information Security Incident Response Plan. In urgent situations requiring immediate action, the CISO or the designated person makes the decision.

Exceptions

Requests for exceptions to any information security policies may be granted for information systems with compensating controls to mitigate risk. Any requests must be submitted to the CISO for review and approval per the Policy Exception.

Frequency of Document Review

At a minimum, the CISO must review information security policies and procedures annually. This document is subject to revision based on the findings of these reviews.

Roles and Responsibilities

University-Related Persons

All university-related persons are responsible for complying with these guidelines and, where appropriate, supporting and participating in processes related to compliance with these guidelines.

Information System Owners

Information system owners are responsible for implementing processes and procedures that comply with the ISO's minimum standards and enabling and participating in validation efforts, as appropriate.
This encompasses procurement, development, integration, modification, decommission, and the ongoing operation and maintenance of the information system.

Chief Information Security Officer

CISO is authorized to disconnect affected individuals or units from the network. In cases of noncompliance with this document, the university may apply appropriate employee sanctions or administrative actions, in accordance with relevant administrative, academic, and employment policies.

In relation to vulnerability management and at the direction of the CISO, the ISO must:

Conduct routine scans on information resources to identify vulnerabilities.
Identify solutions that provide consistency in compliance and reporting.
Develop, establish, maintain, and enforce information security guidelines and relevant standards and processes.
Provide oversight of information security governance processes.
Educate the university community about individual and organizational information security responsibilities.
Measure and report on the effectiveness of university information security efforts.
Delegate individual responsibilities and authority specified in these guidelines as necessary.

Vice Presidents, Deans, Directors, Department Heads, and Heads of Centers

All Vice Presidents, Deans, Directors, Department Heads, and Heads of Centers must take appropriate actions to comply with university policies. These individuals have ultimate responsibility for university resources, for the support and implementation of these guidelines within their respective units, and, when requested, for reporting on policy compliance to the ISO. While specific responsibilities and authorities noted herein may be delegated, this overall responsibility may not.

Vulnerability Prioritization

The ISO follows CISA guidelines, which provide specific timelines based on risk for fixing vulnerabilities based on their likelihood of exploitation and impact on the organization. Special cases may occur outside of CISA’s guidelines.

Special Cases: Should be remediated immediately. If remediation is not feasible, implement compensating controls and consider removing the system from the network. The ISO will provide recommendations for remediation after determining potential risk, impact, and likelihood.
Critical vulnerabilities: Should be remediated within 15 days. These are the most severe issues that could allow attackers to cause significant damage, such as taking over systems or stealing sensitive data.
High vulnerabilities: Should be remediated within 30 days. These serious issues could still allow attackers to cause harm, but not as immediately as critical vulnerabilities.
Medium vulnerabilities: Should be remediated within 60 days. These are issues that could allow attackers to cause some harm, but often present a risk to the integrity of the system as a whole, or cause only a modest impact.
Low vulnerabilities: Should be remediated within 90 days. These issues have a minor effect on security and may pose little to no immediate risk, but addressing them reduces potential future exposure.
Informational vulnerabilities: Potentially unwanted discoveries that may be waived or actioned after an individual evaluation. These are issues that are more likely to give information about the system and how it operates, rather than real vulnerabilities.

CVSS Score	Special Case	Critical (9.0-10.0)	High (7.0-8.9)	Medium (4.0-6.9)	Low (0.0-3.9)	Informational
Remediation Time	Immediately	15 days	30 days	60 days	90 days	1 year
Maximum Exception Time	TBD	6 months	6 months	1 year	1 year	1 year
Waiver Approval	CISO or delegated authority	CISO or delegated authority	CISO or delegated authority	CISO or delegated authority	CISO or delegated authority	ISO

Remediation Exceptions

Exceptions are extensions with compensating controls that must be revisited periodically. Approval is required from the CISO or a delegated authority, within the time frames defined based on severity, as shown in the table above.
If a vulnerability is not remediated within the specified timeline, the affected system will be removed from the network to prevent potential exploitation. However, exceptions may be granted in cases where remediation is delayed due to vendor-related issues, budget limitations, resource constraints, or operational challenges.