Body
UMS has a Vulnerability Management Program to ensure flaws and vulnerabilities in IT systems are uncovered and remediated in a timely manner.
UMS Vulnerability Remediation
- Contact: infosecurity@maine.edu
- Adopted Date: May 2022
- Responsible Office: Information Security Office
- Approved By: John Forker
Reason for Policy
Adhering to the timelines for remediating security flaws and vulnerabilities in IT systems reduces the likelihood of a system compromise.
Who Should Read This Policy
US:IT Staff, System Administrators, Network Administrators, Application Developers, Service Owners
Policy Statement
If you learn of new vulnerabilities in systems you are responsible for, via a vulnerability scan report or from vendor or 3rd-party alerts, you are expected to remediate them according to the timelines below.
Prioritize Based on Severity
Prioritize your remediation efforts based on the severity of the vulnerability and its potential impact on the confidentiality, integrity, or availability of the vulnerable system or data. Vulnerability severity is determined by the rating provided by the National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS) v3.0.
Highest priority should be given to vulnerabilities rated Critical (CVSS 9-10) followed by those designated High (CVSS 7-8.9).
1. Determine Remediation Timeframe
After a vulnerability is detected and a fix is available, the timeline for remediation begins.
- Critical (CVSS 9-10) Vulnerabilities:
Create a corrective action plan within 3 calendar days
Remediate vulnerability within 14 calendar days
- High (CVSS 7-8.9) Vulnerabilities:
Create a corrective action plan within 14 calendar days
Remediate vulnerability within 30 calendar days
Can be resolved based on availability of staff resources.
2. Plan Corrective Actions
Corrective action plans should:
- Validate that the vulnerability is properly identified and prioritized.
- Include action-oriented descriptions of the steps that will be taken to mitigate the vulnerability.
- Ensure that appropriate resources are, or will be, available to remediate the vulnerability.
- Identify milestones in the remediation process to fully address and resolve the vulnerability;
- Ensure that the schedule for resolving the vulnerability is achievable and allows for appropriate testing.
Can't meet the expected remediation timeline? Contact ISO to discuss options and alternatives to ensure a secure IT environment with acceptable risk.
Additional Policy Details
Vulnerability Remediation timelines are derived from the UMS Vulnerability Management Program
When leaving feedback below, please leave your contact information if you would like a response.