System Vulnerability Management Program

Purpose and Scope

The Vulnerability Management program, governed by the Information Security Office, is an initiative to manage Information Systems vulnerabilities for those systems administered by the HVCC Instructional and Information Technology department. This program seeks to identify system vulnerabilities within HVCC's computing environment and rank each vulnerability by severity so they may be remediated in a timely manner.

Program Overview

The Vulnerability Management program is designed to provide a methodology for the identification and remediation of system vulnerabilities within the HVCC computing environment. The Information Security Officer and Cyber Incident Response Team will periodically scan systems and networks to identify vulnerabilities, improper configurations, and missing security patches. When alerted to vulnerabilities, System Administrators will be responsible for vulnerability remediation. 

Authority

Per HVCC's Information Security Policy, "Computer systems that provide information through a public network must be subjected to vulnerability scanning." Further, "The output of scans will be reviewed in a timely manner by the appropriate members of the Information Security Committee, and any detected vulnerabilities will be evaluated and mitigated based on the level of risk."

Roles and Responsibilities

Oversight - Chief Information Officer

Vulnerability Management - Information Security Officer

Patch Management - System Administrator

Process

Vulnerability Discovery

The methodology for discovering and assessing vulnerabilities utilizes multiple tools in order to provide an assessment of the security of HVCC's computing environment as well as assessments by third-party Information Security providers. Shodan is the tool used to provide an initial assessment of HVCC systems that are accessible from the Internet and provides alerts when new systems are discovered. Tenable Nessus is the tool used to assess operating systems and network components, and it provides risk rankings and remediation documentation.

Assessment and Remediation

HVCC systems are assessed, at a minimum, once every 30 days. The results of these assessments are forwarded to the HVCC IIT team responsible for the administration of the systems identified. The System Administrator is responsible for applying patches or correcting errors in system configurations within the following time frames. In some cases, scan results may yield false positives, patches may not yet be available, or applying a corrective fix may not be possible without service degradation. When corrective fixes can not be applied, risk mitigation techniques must be considered. System Administrators will be responsible for reporting false positives and proposing risk mitigation techniques and subjected to approval from the Information Security Office.

Vulnerability Priority Rating (VPR) is the output of Tenable Nessus' predictive prioritization process and is continually updated to accommodate the evolving threat landscape. Following the initial scan of an asset on the network, Nessus computes an initial VPR using a machine-learning algorithm that analyzes more than 150 different aspects of each vulnerability to determine the level of risk. The higher the VPR score, the greater the risk.

Remediation Timeline