Effective date: 07/01/2021
Last updated: 03/04/2024
Purpose
This Policy describes requirements for Duquesne University's Vulnerability Management Program ("VMP") to identify, assess, and remediate vulnerabilities, weaknesses, or exposures in Information Assets and Information Systems or other processes that may lead to a security or business Risk. This Policy is applied to all of Duquesne University's networks and the devices connected to those networks. The intended audience of this document is all employees and students of Duquesne University as well as relevant external parties. All parties are required to adhere to this Policy and attend to defined responsibilities.
Reference Documents
- Acceptable Use of Computing Resources (TAP 26)
- Family Educational Right and Privacy Act (TAP 28)
- CTS Data Governance Service Requirements
- CTS Information Security Service Requirements
- CTS Mobile Device Service Requirements
- CTS Information Security Requirements for Remote Access
- CTS Asset Management Service Requirement
- CTS Change Management Process
- University Third Party Risk Management Service Requirement
- CTS Incident Response Plan
Strategy
In order to meet the requirements of Duquesne University's Vulnerability Management Program the Information Security Team ("the Team") will define, document, and maintain the following:
- Critical assets and infrastructure to be included in the scope of vulnerability analysis and resolution activities
- Technical resource needs
- Approved tools and methods to aid in vulnerability monitoring, identification, analysis, and remediation efforts
- Staffing requirements
- Stakeholders - parties that have a vested interest in the management and success of
the VMP and who shall receive vulnerability information from the Team and provide
feedback and recommendations to the Team. Stakeholders include but are not limited
to:
- Systems Team
- Networking Team
- Application and Database Team
- Endpoint Team
- University Management
- Departmental System Owners
- IT Service Desk
- Legal Affairs
- Relevant Third-Parties
- Roles and Responsibilities
- Vulnerability information and sharing requirements
- Regulatory and contractual obligations
- Standardized processes for VMP activities and communications
- A schedule for VMP activities
- Operational and awareness training requirements
- Auditing requirements and frequency
Definitions
Charter | The Duquesne University Vulnerability Management Program Charter |
Critical Asset | Any asset that stores or processes restricted data and/or is imperative to the core functionality of the University |
Exploit | An action taken, intentional or otherwise, that takes advantage of a vulnerability and causes unintended behavior in an asset or service |
Risk | The likelihood and consequences of a vulnerability being exploited through intentional or unintentional actions |
The Standard | The Duquesne University Vulnerability Management Program Standard |
Vulnerability | Any weakness in an asset or service that may be exploited, intentionally or otherwise, to cause unintended behavior in an asset or grant access to unauthorized resources |
Vulnerability Management Program Policy
Duquesne University's Vulnerability Management Program shall be implemented to ensure that vulnerabilities and security weaknesses in the University's information assets are identified, assessed, and remedied in a timely manner.
Scope
Vulnerability Management Program activities shall cover all University critical assets, data, and relevant third-party assets as defined in the Standard and the CTS Data Governance Service Requirements.
In order to ensure that Vulnerability Management Program activities are adequately accounting for all critical assets and data, the Information Security Team shall have access to an asset inventory and network diagrams in accordance with the Standard.
Roles and Responsibilities
The security of critical assets and data is the responsibility of the entire Duquesne University community. All employees, students, and relevant third parties shall be informed of the Vulnerability Management Program requirements and their specific roles and responsibilities to that end.
Role Description | Responsibilities |
Information Security Team | Responsible and accountable for the administration and enforcement of VMP requirements as defined in this Policy and the Standard. Central point of contact for all relevant parties. |
Systems Team | Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews. |
Networking Team | Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews. |
Application and Database Team | Participate in and support VMP activities for software applications and datacenter assets, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews. |
Endpoint Team | Maintain endpoint security requirements, participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews. |
IT Service Desk | Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews. |
Infrastructure Team | Manage VMP team access to the asset inventory. Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Participate in program auditing and reviews. |
Change Management Team | Advise the VMP team during initial program rollout. Participate in program audits, reviews, and updates. Evaluate changes in asset configurations identified as remediations. Inform the VMP team of relevant changes to assets within the scope of the Program. |
Risk Management Team | Advise and inform the VMP team on relevant organizational risks and risk acceptance criteria. Participate in escalation processes as necessary. |
Incident Response Team | Participate in and own communications and timelines for VMP escalation processes as necessary. Participate in and support VMP activities as required, advise the VMP Team on program requirements and improvements, and report any security concerns to the VMP team. Communicate relevant vulnerability information after a breach. Participate in program auditing and reviews. |
Legal Affairs | Required to collaborate with the VMP team to ensure compliance with regulatory and contractual requirements. Responsible and accountable for compliance fulfillment. |
University Management | Sponsor the VMP by providing necessary resources and governance. |
Operational Units | Responsible and accountable for third-party-owned assets within scope of the VMP. Units are required to cooperate with the VMP team and perform assigned tasks in accordance with the Standard and report security concerns to the VMP team. |
Asset Owners and Operators | Responsible and accountable for assigned University assets. Owners and Operators are required to cooperate with the VMP team and perform assigned tasks in accordance with the Standard and report security concerns to the VMP team. |
Other Duquesne University Community Members | Required to adhere to this Policy and report security concerns to the VMP Team. Encouraged to attend VMP awareness training. |
Third-Party Service Providers | Required to adhere to this Policy and report security concerns to the VMP team. Service providers engaged to perform VMP activities are expected to provide an actionable report on any findings and offer guidance for the improvement of the VMP. |
Third-Party Auditors | Required to audit compliance to the Vulnerability Management Program Policy and Standard in accordance with the requirements defined in the Standard, report on any findings, and offer guidance for the improvement of the VMP. Engaged periodically to evaluate program efficacy. |
Training Requirements
Personnel responsible for Vulnerability Management Program services shall maintain the requisite competencies to adequately utilize approved tooling and methods as defined in the Standard.
The Information Security Team shall develop and deliver appropriate vulnerability management awareness training and resources and ensure relevant parties understand their obligations and contributions to the goals of the Vulnerability Management Program.
Vulnerability Assessment and Remediation Requirements
The Information Security Team will perform testing and scanning activities using approved tools and methods and in accordance with the Standard. Testing and scanning activities shall be performed periodically and on demand as required by the Standard and Charter. Consideration for impacts to University operations shall be given when scheduling assessments. Identified vulnerabilities will be remedied by appropriate personnel according to their Roles and Responsibilities and timelines associated with the assigned criticality ratings, as defined within the Standard.
Necessary changes to asset configurations shall be coordinated and tracked in accordance with Computing and Technology Services Asset Management Service Requirement and Change Management Process.
If periodic assessment requirements or remediation timelines are not satisfied for any reason, the Vulnerability Management Team shall invoke the necessary escalation processes defined in the Standard.
Vulnerability Information Sources and Sharing Requirements
Information about technical Vulnerabilities of Information Systems shall be obtained in a timely fashion; Duquesne University's exposure to such Vulnerabilities shall be evaluated and appropriate measures must be taken to address the associated risk. The Vulnerability Management Program shall include regular reviews of vulnerability information sources identified in the Standard.
Vulnerability Tracking and Validation Requirements
Vulnerabilities and remediations shall be tracked in accordance with the Standard. Vulnerabilities that are assigned a Critical or High rating shall be tracked to completion without exception.
Program Auditing and Review
Vulnerability Management Program documentation, requirements, processes, tools, methods, and scope shall be periodically reviewed in accordance with the Standard. Proposed changes shall be implemented in collaboration with the University's Change Management Team and in accordance with applicable Change Management Policies.
Effectiveness of the Vulnerability Management Program shall be evaluated against industry standard Key Performance Indicators (KPIs) as defined in the Vulnerability Program Standard.
University compliance to and efficacy of the Vulnerability Management Program requirements shall be evaluated periodically by independent third-party service providers in accordance with the Program Standard.
Violations
The University considers any violation of the vulnerability management program policies to be a serious offense.
Duquesne University will take any and all actions necessary to copy and examine files, systems, or information resident on University systems that are potentially related to unacceptable use, and to protect the network and computing environment from systems, users, and events that threaten or degrade computing services.
If violations cause harm to computing resources including network and systems or impact user integrity, CTS will attempt to contact the offending party via email, telephone, or in person to explain the problem and discuss remediation. Significant violations may require CTS to disconnect the system from the network or suspend violator's use of computing resources and/or access to information stored or managed by the University.
Violations of this policy will be subject to regular disciplinary processes and procedures of the University that apply to students, faculty, and employees and may result in the loss of their computing privileges and other measures, up to and including expulsion from the University or loss of employment. Illegal acts involving University computing resources may also be subject to prosecution or other sanctions by local, state or federal authorities.
Decisions about whether a particular use of computing resources, or a particular access or use of Restricted Data conform to this Policy shall be made by the Provost's Office if the use involves faculty; by the Office of Student Conduct if the use involves students; and by the Office of Human Resources if the use involves staff. All decisions shall be made in consultation with the Chief Information Officer and Legal Affairs to ensure consistency.