1614 Vulnerability Management

    Responsible Official: 
    Chief Information Officer
    Responsible Office: 
    Office of the Provost
    Effective Date: 
    March 31, 2015
    Revision Date: 
    March 31, 2015

    Policy Sections

    Scope

    This document addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements for all IT systems which collect, store, process, transmit or otherwise communicate University-owned data or data over which the university has administrative duties (e.g. loaned or leased data).

    Policy Statement

    Yale ITS will assess changes to IT systems and software to determine potential security impacts prior to change implementation and / or release into production environment(s). This also includes assessing new IT systems and software prior to release into production environment(s). Analysis may include but not be limited to, analysis in a separate test environment before installation in an operational environment and assessing for security impacts due to flaws, weaknesses, incompatibility, or intentional malice. Vulnerabilities must be mitigated prior to change or release into production environments.

    Prior to change implementation and/or release into production environment(s), the system owner is required to contact ITS to facilitate this assessment. It is the responsibility of Information Security, Policy and Compliance to oversee the assessment the process to ensure the security of Yale information.

     

    Reason for the Policy

    Security impact analyses are part of a formal vulnerability management process through which Yale is able to efficiently identify and remedy vulnerabilities within its networks and provide a greater level of security throughout the enterprise.

    Definitions

    Control – ”The means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of an administrative, technical, management, or legal nature. Scope Note: Also used as a synonym for safeguard or countermeasure.” ISACA Glossary of Terms (2014) (http://www.isaca.org/Knowledge-Center/Documents/Glossary/glossary.pdf)

    IT system - please definitions Policy 1607 Information Technology Appropriate Use Policy.

    University-owned data – for staff, this is data generated in the course of their work at Yale. Faculty are asked to please reference the Faculty Handbook for further guidance on this subject. Please see Policy 1601 Information Access and Security for more information on restrictions on the use of University information.

    Vulnerability – “[a] characteristic or specific weakness that renders an organization or asset (such as information or an information system) open to exploitation by a given threat or susceptible to a given hazard.” (NICCS, “Explore Terms: A Glossary of Common Cybersecurity Terminology”, http://niccs.us-cert.gov/glossary.) Further reading: https://msdn.microsoft.com/en-us/library/cc751383.aspx.

    Policy Sections

    1614.1 Vulnerability Scanning

    Information Security, Policy and Compliance (ISPC) shall determine and perform the appropriate testing of systems, software, and changes including but not limited to system configuration analysis, network vulnerability scanning and host-based scanning for system going through change control, through periodic review and audit, and during systematic review.

    1614.2 Positive Confirmation

    The system owner is responsible for ensuring that the following have been performed and reported: 1. Appropriate testing of system(s) 2. Appropriate testing of software changes 3. Appropriate testing of new system(s) and 4. Mitigation of vulnerabilities This includes, but is not limited to, providing positive confirmation to ISPC. Additionally this must include quality assurance evidence of activity (i.e. integrity check).

    1614.3 Risk Mitigation

    Should ISPC determine that any IT system places the University at risk in any way, ISPC may require that the device be isolated to limit security impacts and facilitate remediation. Examples of circumstances where this may occur include, but are not limited to:

    • Review prior to new IT system implementation,
    • change control review,
    • regular vulnerability scanning
      or
    • in response to a security incident.

    1614.4 Policy Violations and Sanctions

    Report any violations of this policy to Information Technology Services (ITS) at the contact number listed below.

    If a system owner or administrator fails to comply with this policy, the system may be denied access to the Yale Network and the Internet.

    1614.5 Exceptions

    Exceptions must be based on a documented need in line with the University’s core missions. A request for an exception to this policy should be made to Information Security, Policy and Compliance.

    Roles and Responsibilities

    Information Security, Policy and Compliance -Is responsible for the general oversight of the reviews and tests named in this policy. It shall determine and perform the appropriate testing of systems, software, and changes including but not limited to system configuration analysis, network vulnerability scanning and host-based scanning for system going through change control, through periodic review and audit, and during systematic review.

    Further, ISPC shall receive reports and demonstrations of proof showing that the requirements of Section 1614.2 have been met from systems owners. 

    System Owners and Administrators - Are responsible for contacting Information Security, Policy and Compliance prior to move new IT systems into production or implementing system changes into production.

    Related Resources

    1614 PR.01 Vulnerability Management Procedures