Overview
Developed in response to compliance requirements, the Vulnerability Management program helps University units implement robust vulnerability management processes and procedures. It enables units to quickly identify and mitigate risks to University data and system, and it ensures Pitt remains in compliance with applicable laws and regulations.
Detail
Purpose
According to NIST SP 800-30, a “vulnerability” is defined as a:
“Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”
Vulnerability Management refers to the processes and procedures by which vulnerabilities in information systems, infrastructure, applications, and services are identified, analyzed, mitigated, and remediated.
The standards as outlined in this document define how Vulnerability Management best practices are expected to be implemented by Pitt IT and its IT Partners as directed by the University Chief Information Officer (CIO) and Chief Information Security Officer (CISO).
Definitions
IT Partner
An IT Partner is any University responsibility center, department, division, school, individual, or body other than Pitt IT responsible for the operation, administration, support, or security of University information systems and assets, as recognized by the Office of the Chief Information Officer (CIO). This definition may also include Pitt IT staff acting as a consultant or contractor for an IT Partner organization or an external third party conducting official business on behalf of the University of Pittsburgh.
Implementing Authority
The Implementing Authority refers to the University of Pittsburgh responsibility center, department, division, school, individual, or other body implementing these standards.
Support
Supported information systems are those that fall under the responsibility of the implementing authority for the installation, operation, maintenance, administration, or protection of that system, either directly or indirectly. The implementing authority is expected to assess its computing environment periodically and identify all information systems and technical resources that should be considered “supported” assets.
Scope
These standards apply to all University of Pittsburgh information systems, computing resources, and technical assets - including hardware, software, and applications - that:
A. Routinely connect to the University’s physical or Wi-Fi networks or public and private cloud services
B. Are used to conduct business, research, instruction, or other University-related activities
C. Pitt IT, an IT Partner, or other University of Pittsburgh personnel has direct responsibility for providing technical administration, operation, maintenance, technical support, or information technology-related services
In some circumstances, and as deemed appropriate by the implementing body, the scope of these standards may extend to individually owned and operated equipment or equipment owned and operated by external third parties used to conduct official University-related business and other activities.
Governing Laws and Regulations
The University of Pittsburgh maintains compliance with the following government and industry regulations that either directly or indirectly dictate the importance of vulnerability management standards:
- Family Educational Rights and Privacy Act (FERPA)
- Federal Information Security Modernization Act (FISMA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171
- Payment Card Industry Data Security Standards (PCI DSS)
- Sarbanes-Oxley Act (SOX)
Standards
- All vulnerability management-related processes and procedures, including vulnerability assessment and system patching, will only be performed by designated and authorized University of Pittsburgh personnel.
- All designated and authorized IT personnel with information system administration, operation, maintenance, and protection responsibilities will subscribe to and frequently review publicly and privately available resources for vulnerability alerts and patch release information.
- All IT assets supported by the implementing authority, including all hardware and software components, must be accurately listed in an asset inventory system or database maintained by designated IT personnel.
- All IT assets supported by the implementing authority will be assessed for relative importance and business criticality. These assets will be labeled with the results in the implemented asset management solution.
- The implementing authority will proactively establish routine patch management processes and procedures covering all supported information systems, operating systems, software, and applications to remediate known vulnerabilities.
- Vulnerability scanning tools will be used to perform periodic scans of supported information technology systems and network segments to identify unpatched information security vulnerabilities.
- Each vulnerability detected on supported information systems will be analyzed, evaluated, and assigned urgency based on the intrinsic qualities of the vulnerability, the criticality of the business systems it impacts, and the sensitivity of the data supported by those assets.
- The implementing authority will implement mitigation and remediation procedures that include but are not limited to the installation of patches, configuration changes, and defense-in-depth controls. Specific mitigation and remediation actions will be identified based on assessed risk factors, including the availability of security patches and implementation complexity.
- All mitigation and remediation activities must follow change management processes established by the implementing authority.
- In coordination with Pitt IT, the implementing authority will establish clearly defined expectations and timelines for the remediation of detected vulnerabilities on supported information systems. If remediation is not completed by established timelines, the implementing body will complete a Plan of Action & Milestones (POA&M) or Risk Acceptance Form and submit these to Pitt IT. POA&Ms and Risk Acceptance Forms must be reviewed and signed off by the implementing authority’s senior leadership and the University Chief Information Security Officer (CISO), Deputy CISO, or a delegated authority.
- In coordination with Pitt IT, the implementing authority will establish clear processes and procedures for identifying information systems and assets that must be excluded from standard patch and vulnerability management processes, procedures, and standards.
- All configuration and inventory documentation must be updated promptly to reflect applied changes.
- All new information systems and assets provisioned or installed on behalf of the implementing authority will automatically fall within the scope of these standards.
Auditing and Non-Compliance
Pitt IT may periodically audit systems and services, includes those of IT Partners, for compliance with these vulnerability management program standards. At the discretion of the University’s Chief Information Officer (CIO), Chief Information Security Officer (CISO), or delegated authority, Pitt IT may take action to mitigate or remediate outstanding vulnerabilities in information systems that represent an extraordinary risk to the University’s IT infrastructure, services, data, or business operations, including, but not limited to:
- Network isolation or disconnection
- Device or user account suspension
- Physical removal of equipment from University of Pittsburgh facilities
Reporting Security Incidents
All suspected IT security incidents must be promptly reported to the Technology Help Desk at +1-412-624-HELP (4357). Examples of security events include, but are not limited to:
- Virus, spyware, or other malicious programs found on your computer.
- Any attempts to break into your computer over the network.
- Any unauthorized disclosure of sensitive information stored on a computer.
- You have opened an attachment or clicked a malicious link.
When reporting a security event, please be ready to provide the following information:
- What you have observed.
- Whether the situation may involve more than one computer.
- The date and time the incident occurred.
- The computer’s name, serial number, and IP network address (if known).
- The location of the computer.
- Whether or not any potentially sensitive information is stored on the computer.
Related Information
Please see the How the Report Security Issues page for more detailed information.