UMS Vulnerability Remediation

UMS has a Vulnerability Management Program to ensure flaws and vulnerabilities in IT systems are uncovered and remediated in a timely manner.

UMS Vulnerability Remediation [draft]

  • Contact: infosecurity@maine.edu
  • Adopted Date: May 2022
  • Responsible Office: Information Security Office
  • Approved By: John Forker

Reason for Policy

Adhering to the timelines for remediating security flaws and vulnerabilities in IT systems reduces the likelihood of a system compromise.

Who Should Read This Policy

US:IT Staff, System Administrators, Network Administrators, Application Developers, Service Owners

Policy Statement

If you learn of new vulnerabilities in systems you are responsible for, via a vulnerability scan report or from vendor or 3rd-party alerts, you are expected to remediate them according to the timelines below.

Prioritize Based on Severity

Prioritize your remediation efforts based on the severity of the vulnerability and its potential impact on the confidentiality, integrity, or availability of the vulnerable system or data. Vulnerability severity is determined by the rating provided by the National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS).

Highest priority should be given to vulnerabilities rated Critical (CVSS 9-10) followed by those designated High (CVSS 7-8.9).

1. Determine Remediation Timeframe

After a vulnerability is detected and a fix is available, the timeline for remediation begins.

  • Critical (CVSS 9-10) Vulnerabilities:

    Create a corrective action plan within 3 calendar days

    Remediate vulnerability within 14 calendar days

  • High (CVSS 7-8.9) Vulnerabilities:

    Create a corrective action plan within 14 calendar days

    Remediate vulnerability within 30 calendar days

  • Other Vulnerabilities:

    Can be resolved based on availability of staff resources.

2. Plan Corrective Actions

Corrective action plans should:

  •     Validate that the vulnerability is properly identified and prioritized.
  •     Include action-oriented descriptions of the steps that will be taken to mitigate the vulnerability.
  •     Ensure that appropriate resources are, or will be, available to remediate the vulnerability.
  •     Identify milestones in the remediation process to fully address and resolve the vulnerability;
  •     Ensure that the schedule for resolving the vulnerability is achievable and allows for appropriate testing.

Can't meet the expected remediation timeline? Contact ISO to discuss options and alternatives to ensure a secure IT environment with acceptable risk.

Additional Policy Details

Vulnerability Remediation timelines are derived from the draft UMS Vulnerability Management Program state (2022, location TBD]

Resources

 

Definitions

Was this helpful?
0 reviews

Details

Article ID: 138777
Created
Thu 7/28/22 5:47 PM
Modified
Wed 8/17/22 10:23 AM
Applies To
Students
Faculty
Staff