1614 PR.01 Vulnerability Management Procedures

    Revision Date: 
    March 31, 2015

    Complying with Policy 1614 Sections 1614.1 and 1614.2

    1. Prior to change implementation and/or release into production environment(s), IT system owners shall contact ITS to coordinate assessment of the IT system.
    2. This initial contact can be made by contacting Information Security, Policy and Compliance (ISPC) via email at it.compliance@yale.edu or information.security@yale.edu.
    3. ITS may also contact you, the system owner or administrator, if a vulnerability is detected on a device attached to the network, or if a member of the Yale community reports a vulnerability.
    4. ISPC will provide guidance on how to assess the system and what forms of proof it will accept before a system will be allowed to go into production.
    5. Systems with active vulnerabilities may be isolated from other networked devices to minimize negative impacts. Once remediated, normal network access will be allowed.

    Assessment Standards

    The following standards will be used in assessing risk and addressing remediation:

    Required Tests and Analyses

    1. IT system configuration analysis.
    2. Software configuration analysis.
      1. Implementation of vendor/manufacturer security configuration baselines and— if advised to do so by Information Security, Policy and Compliance (ISPC) — vendor/manufacturer security configuration recommendations.
      2. At a minimum you must document
        1. How users access the software,
        2. How access to administrative functions is limited to administrative users.
    3. Authenticated network vulnerability scanning.
    4. Authenticated host-based vulnerability scanning.

    Change Control

    1. For changes to an existing IT system: use of an industry-accepted change control process and documentation of changes made to the system.
    2. For changes to existing software: use of an industry-accepted change control process and documentation of changes made to the software.

    Addressing Identified Risks and Vulnerabilities

    1. All identified risks and vulnerabilities must (a) be remedied or (b) controls must be put into place to reduce or eliminate their impact on system and software security.
    2. If controls are used, these controls must be approved by ISPC.

    Reporting Compliance with this Procedure and Policy 1614

    1. Evidence of compliance with this procedure and its parent policy must be submitted to ISPC by system owners, or the project’s project management team.

    Documentation and Proof of Compliance

    • Information Security, Policy and Compliance will provide a certification document for systems that have been approved for migration into production.