Vulnerability management is the cyclic and continuous process of identifying and remediating vulnerabilities in information systems. Addressing identified vulnerabilities in a timely manner significantly reduces risk to the confidentiality, integrity, and availability of information stored, processed, or transmitted by a given system or systems. Vulnerabilities shall be prioritized based on their potential impact if successfully exploited and on the likelihood of exploit; the vulnerabilities that pose the highest risk in a given situation are to be remediated first. The University uses the Common Vulnerabilities and Exposures (CVE) system as a reference/method for reviewing information about publicly known information security vulnerabilities. The CVE system uses the Common Vunlerability Scoring System (CVSS), a free and open industry standard, for assessing the severity of publicly known information security vulnerabilities. The CVSS system involves combining serveral metrics into a simplified score on a scale of 0.0 to 10.0, while also indicating severity on an even more simplified scale that includes 'Low', 'Medium', 'High', and 'Critical'.
The University's Information Security Management System (ISMS) - Vulnerability Management Program Component maps directly to the CVSS system, and defines severity as:
Critical and High
This class of vulnerability poses the highest risk to the confidentiality, integrity, and availability of information or systems. These vulnerabilities can have the most negative impact on business operations.
This class of vulnerability poses moderate risk to the confidentiality, integrity, and availability, of information or systems.
This class of vulnerability may pose risk to the confidentiality, integrity, and availability, of information or systems.
Critical and High
• Remediation required within fourteen (14) calendar days of discovery *
• Remediation required within thirty (30) calendar days of discovery *
• Remediation required within ninety (90) calendar days of discovery *
Mitigation will occur within an appropriate timeframe for the criticality of the vulnerability, and strategies should be prioritized in the following order:
- Follow vendor / manufacturer recommendations
- Implement patches
- Change configuration
- Implement compensating controls
- If vendor / manufacturer has no recommendations, patches, hotfixes, etc. or there are documented constraints, an appropriate compensating control should be implemented
- Follow risk acceptance process
- An exception may be sought depending upon the criticality of the vulnerability and mission criticality of the system
NOTICE: The ISPO's Information Security Operations area will update this document on a periodic basis in response to emerging trends and guidance from information security professional organizations.
The ISPO utilizes the University’s enterprise ticketing system Help.UNM and intake services provided by the UNM Information Technologies (UNM IT) Service Desk, the University's central support organization for information technology-related services and computer-related issues. All information security-related events, incidents, and requests are forwarded to the ISPO by UNM IT Service Desk Staff. If you have feedback or questions regarding this document, please use Help.UNM or call the UNM IT Service Desk at 7-5757 to ensure that your request is opened, tracked, and processed in a timely manner.