8.2.3 Vulnerability Management Program

Owned by Jessica Harrell
Feb 09, 2024
2 min read
Policy TrackingDate
ApprovedFebruary 8. 2024
Revised
Reviewed


The College Chief Information Officer shall develop, document, and disseminate a vulnerability and patching procedure.

Purpose:

Vulnerability management is the process of searching for, prioritizing, and remediating vulnerabilities in enterprise systems and software. The Vulnerability Management Program provides the processes and procedures for ensuring enterprise assets do not contain vulnerabilities.

Responsibility:

The Information Technology Department is responsible for all information systems vulnerability management functions. IT is responsible for informing all users of their responsibilities in the use of any assets assigned to them, such as applying updates in a regular manner or restarting their systems.

Exceptions:

Exceptions to this procedure mighty occasionally be necessary. Exceptions may include additional time to remediate vulnerabilities or to let certain systems function normally with vulnerabilities in place. Exceptions should be documented in the designated IT Help Desk Support and Incident Management system and contain the following information:

  • The reason for the request,

  • Technical or other difficulties in applying patches,

  • Risk of allowing the exception,

  • Specific mitigations that will be implemented to reduce risk, and,

  • Date of review

Assess:

  1. A process for performing vulnerability management must be established.

    1. This process must be documented and approved.

    2. At a minimum, the vulnerability management process must be reviewed on an annual basis or following significant changes within the enterprise.

    3. IT must monitor vulnerability announcements and emerging threats applicable to enterprise asset inventory.

    4. All systems connected to non-public and non-instructional segments of the College network must be scanned for vulnerabilities.

Prioritize:

  1. Identified vulnerabilities must be prioritized, with more critical vulnerabilities addressed first.

Remediation:

  1. A process for remediating identified vulnerabilities must be established.

    1. This process must be documented and approved.

    2. At a minimum, this process must be reviewed on an annual basis or following significant changes within the enterprise.

    3. Vulnerabilities that cannot be remediated must be submitted through the vulnerability exception process.

  2. Operating systems must be configured to automatically update, unless an alternative approved patching process is used.

  3. Applications must be configured to automatically update, unless an alternative approved patching process is used.

  4. All users must ensure required reboots occur within a reasonable time frame to ensure updates are properly installed.

  5. High severity vulnerabilities must be addressed as a matter of priority.

Monitor:

  1. IT staff should subscribe to a threat information service to receive notifications of recently released patches and other software updates.

  2. IT staff and contractors must notify the CIO authority if vulnerabilities are not mitigated in a timely manner.




Blue Ridge Community College Policies and Procedures Manual