Vulnerability and Compliance Management

Zoom logo Vulnerability and compliance management is a set of processes and practices aimed at identifying, assessing, and mitigating security risks within the university's IT infrastructure. This includes assessing and remedying vulnerabilities in software, hardware, and network systems, as well as ensuring that the university is in compliance with relevant industry regulations and standards.

Benefits & Features

Vulnerability scanning focuses on identifying vulnerabilities which exist on a given host.  These scans can then be used to generate reports and dashboards to show risk exposure and help in prioritizing remediation efforts.  In today’s digital environment, keeping operating systems, applications, and other 3rd party software up to date is critical in protecting digital assets. 

Along with vulnerability scanning, compliance audits against standards such as those set forth by the National Institute of Standards and Technology (NIST) can be performed to verify configuration settings and compliance.  All this can be completed in one tool to give a full picture of how at risk an asset may be.

Features included:

  • Network scanning
  • Agent-based scanning
  • Remediation scanning
  • Industry leading reports & dashboards
  • Compliance & configuration auditing

Getting Started

 

Eligibility

All University owned assets are eligible for vulnerability and compliance management services. This includes but is not limited to,

 Network – Shall mean and include wired and wireless video, voice, and data infrastructure, including security
devices (e.g., firewalls, management tools, etc.)
Endpoints – Shall refer to desktops, laptops, tablets, mobile devices, printers, or any other device capable to
connecting to the University network.
Systems – Shall mean and include software, servers, storage, licensed platforms, and cloud-based services.
Applications – Comprised of University-owned or operated software applications, web applications, etc.

Pricing

There is no charge for this service, which is considered a common-good service.

Requirements

As established in ITS-13: Risk Management Standards - Section 4.3.2 Vulnerability Management - Vulnerability Remediation or Quarantine, vulnerabilities should be remediated in accordance with the criticality based timeframes listed below.  

Where a vulnerability cannot be remediated within these defined vulnerability compliance timelines, a system owner or administrator must complete a Plan of Action and Milestones (POAM) that details the plan and timeline to remediate the vulnerability, implement alternative mitigation controls, and seek risk acceptance approval. Exceptions approved in a POAM are considered temporary solutions until a long term solution can be implemented.

 

 

Vulnerability Compliance Timeline 

 

Severity 

Remediation Time Frame 

POAM / Quarantine Determination 

Urgent (Zero-Day / As-Directed) 

7 calendar days 

CISO Directed 

Critical 

15 calendar days 

> 30 days 

High 

30 calendar days 

> 60 days 

Medium 

45 calendar days 

> 90 days 

Low 

60 calendar days 

> 120 days 

Options

 

Additional Information

 

Support

For the most efficient support experience, please submit a ticket using the request form on this page. Alternatively, contact your campus Help Center location via email, by phone, or in person.

 
Request Service

Related Articles (1)

Operating system patch and security updates are software releases issued by OS developers to fix vulnerabilities, enhance performance, and add features. Operating System patches are frequently released to ensure systems remain resilient and protected against evolving cyber threats

Details

Service ID: 65
Created
Fri 12/22/23 9:09 AM
Modified
Tue 9/24/24 2:30 PM