UMS Vulnerability Remediation

Summary

This article outlines the proper response timelines for US:IT staff to identify and remediate vulnerabilities in the IT systems they manage. The timelines are defined in the UMS Vulnerability Management Program

Body

UMS has a Vulnerability Management Program to ensure flaws and vulnerabilities in IT systems are uncovered and remediated in a timely manner.

UMS Vulnerability Remediation

  • Contact: infosecurity@maine.edu
  • Adopted Date: May 2022
  • Responsible Office: Information Security Office
  • Approved By: John Forker

Reason for Policy

Adhering to the timelines for remediating security flaws and vulnerabilities in IT systems reduces the likelihood of a system compromise.

Who Should Read This Policy

US:IT Staff, System Administrators, Network Administrators, Application Developers, Service Owners

Policy Statement

If you learn of new vulnerabilities in systems you are responsible for, via a vulnerability scan report or from vendor or 3rd-party alerts, you are expected to remediate them according to the timelines below.

Prioritize Based on Severity

Prioritize your remediation efforts based on the severity of the vulnerability and its potential impact on the confidentiality, integrity, or availability of the vulnerable system or data. Vulnerability severity is determined by the rating provided by the National Institute of Standards and Technology (NIST) Common Vulnerability Scoring System (CVSS) v3.0.

Highest priority should be given to vulnerabilities rated Critical (CVSS 9-10) followed by those designated High (CVSS 7-8.9).

1. Determine Remediation Timeframe

After a vulnerability is detected and a fix is available, the timeline for remediation begins.

  • Critical (CVSS 9-10) Vulnerabilities:

    Create a corrective action plan within 3 calendar days

    Remediate vulnerability within 14 calendar days

  • High (CVSS 7-8.9) Vulnerabilities:

    Create a corrective action plan within 14 calendar days

    Remediate vulnerability within 30 calendar days

  • Other Vulnerabilities:

    Can be resolved based on availability of staff resources.

2. Plan Corrective Actions

Corrective action plans should:

  •     Validate that the vulnerability is properly identified and prioritized.
  •     Include action-oriented descriptions of the steps that will be taken to mitigate the vulnerability.
  •     Ensure that appropriate resources are, or will be, available to remediate the vulnerability.
  •     Identify milestones in the remediation process to fully address and resolve the vulnerability;
  •     Ensure that the schedule for resolving the vulnerability is achievable and allows for appropriate testing.

Can't meet the expected remediation timeline? Contact ISO to discuss options and alternatives to ensure a secure IT environment with acceptable risk.

Additional Policy Details

Vulnerability Remediation timelines are derived from the  UMS Vulnerability Management Program


When leaving feedback below, please leave your contact information if you would like a response.

Details

Details

Article ID: 138777
Created
Thu 7/28/22 5:47 PM
Modified
Mon 10/23/23 10:36 AM
Applies To
Students
Faculty
Staff