1614 Vulnerability Management

Responsible Official: 
Chief Information Officer
Responsible Office: 
Information Security Office
Effective Date: 
March 31, 2015
Revision Date: 
January 22, 2024

Policy Sections

     1614.1 Vulnerability Scanning
 
     1614.2 Risk Mitigation
 
     1614.3 Policy Violations and Sanctions
 
     1614.4 Exceptions

Scope

This policy addresses Yale’s need for a Vulnerability management program. The Vulnerability management program applies to all Yale Information Technology (“IT”) Systems and System Owners.

Policy Statement

The Yale Information Security Office (“ISO”) has the authority to scan for and assess Vulnerabilities in Yale IT Systems. The ISO also has the authority to block or disable any Vulnerable system that presents a risk to the University network or Yale Data.

System Owners are responsible for building and maintaining secure IT Systems that adhere to Yale’s Minimum Security Standards (“MSS”). Prior to change implementation and/or release into production environment(s), the System Owner must contact the ISO to facilitate a Security Planning Assessment (“SPA”). This will initiate the Vulnerability management program. It is the responsibility of the ISO to oversee the assessment process to ensure the security of Yale IT Systems and data.

Reason for the Policy

A Vulnerability management policy is essential to ensure the security and integrity of Yale’s IT Systems, networks, and data. Yale’s formal Vulnerability management program identifies and manages remediation of Vulnerabilities to provide a greater level of security throughout the institution.

Definitions

IT system

Any equipment or device that can store, process, or transmit electronic Yale Data.   For example, IT Systems include, but are not limited to, institutional and departmental information systems, faculty research systems, computer workstations and laptops, the University’s campus network, and computer clusters.

System Owner

While Yale University is the legal owner or operator of all IT Systems, it delegates oversight of particular systems to the head of a specific subdivision, department, or office of the University (“Systems Owner”), or to an individual faculty member in the case of IT Systems purchased with research or other funds for which the individual is personally responsible.

Yale Information Technology (“IT”) Systems

All IT systems that collect, store, process, transmit, or otherwise communicate Yale Data.

Yale Data

Yale Data are (i) data created or received by data users while acting on behalf of Yale, or (ii) data created or received by Yale students or trainees while providing a service to Yale or to others as part of their education or training.  Yale Data do not include intellectual property which by law or by Yale’s copyright or other policies, is owned, licensed, or otherwise legally controlled by a data user. 

Vulnerability

A weakness, flaw, or error in a computer system or IT System that has the potential to be exploited by a given threat. A Vulnerability weakens the overall security of the device/system in which it is present.

Policy Sections

1614.1 Vulnerability Scanning

The Yale ISO determines and performs the appropriate testing of systems, software, and changes.

1614.2 Risk Mitigation

Should the ISO determine that any IT System places the University at risk in any way, the ISO may require that the device be isolated to limit security impacts and facilitate remediation.

1614.3 Policy Violations and Sanctions

System Owners are expected to report any violations of this policy to the Yale ISO. In addition, individuals may report events impacting the confidentiality or integrity of IT Systems at information.security@yale.edu.

If a System Owner or administrator fails to comply with this policy, ISO may deny the system access to the Yale network and/or the internet.

1614.4 Exceptions

All identified risks and Vulnerabilities must be remediated by the System Owner or an approved exception with compensating controls must be in place. Requests for exceptions may be submitted via an exception request.

Roles and Responsibilities

Yale University’s Information Security Office (“ISO”)

  • Responsible for the reviews and tests identified in this policy. The ISO determines and performs the appropriate testing of systems, software, and changes.
  • Responsible for determining if a Vulnerability poses risk in any way that would require the device or system to be isolated to limit security impacts.  
  • ISO may request documentation showing adherence to System Owner responsibilities.

System Owners and Administrators