Body
| |
|
| Issued Under Authority of |
UM Information Security Policy |
| Responsible Office |
UM Information Security Office |
| Category |
Governance and Risk Management |
IN PLAIN LANGUAGE
Vulnerabilities in software and systems are discovered constantly, and unpatched systems are one of the most common ways attackers gain access. This standard establishes how the University finds, prioritizes, and fixes vulnerabilities across its technology environment. All University systems must be inventoried, regularly scanned, and patched within defined timeframes based on severity — critical vulnerabilities on internet-facing systems must be addressed within 8 days, for example. When patching isn't immediately feasible, a documented exception and compensating controls are required. System owners are responsible for their systems' security posture, and unresolved high-risk vulnerabilities are escalated to leadership.
1. Purpose
The purpose of this Standard is to reduce the risk of compromise, disruption, or unauthorized access to University Data and Information Technology Resources by establishing a consistent, risk-based Vulnerability Management capability across the University of Montana.
This Standard defines the operational requirements for identifying, assessing, prioritizing, remediating, and tracking vulnerabilities in information systems and supports the University's Information Security Program in alignment with the NIST Cybersecurity Framework (CSF) 2.0.
2. Scope
This Standard applies to all University-owned, managed, or operated information systems and services, including:
- Applications and web services
- Servers and infrastructure
- Network devices
- Endpoints and mobile devices
- Cloud-hosted and third-party-managed systems that store, process, or transmit University Data
This Standard applies regardless of system location, including University networks, affiliated campus networks, third-party data centers, and cloud service providers.
3. Roles and Responsibilities
The CISO is responsible for:
- Owning this Standard and the University Vulnerability Management program
- Approving exceptions to vulnerability scanning or remediation requirements
- Escalating material or systemic risk to executive leadership
The Information Security Operations team is responsible for:
- Operating enterprise vulnerability scanning capabilities
- Detecting, validating, and analyzing vulnerabilities
- Supporting service owners with risk assessment and remediation guidance
- Maintaining vulnerability data and reporting metrics
3.3 Service Owners and Application Owners
Service or Application Owners are responsible for:
- Overall risk ownership for systems under their purview
- Ensuring systems have identified administrators
- Making remediation decisions in coordination with Information Security Operations
- Requesting and documenting risk acceptance or exceptions when appropriate
3.4 System and Application Administrators
System and Application Administrators are responsible for:
- Maintaining supported and properly configured systems
- Remediating identified vulnerabilities within established timelines
- Coordinating testing, patching, and validation activities
4. Vulnerability Management Lifecycle
Vulnerability Management must be conducted as a continuous lifecycle process consisting of asset identification, assessment, remediation, and monitoring.
4.1 Asset Inventory and Classification
An accurate and current asset inventory is foundational to effective vulnerability management.
- All systems and services must be inventoried with identified owners and administrators
- Assets must be classified according to data sensitivity and business criticality in accordance with the UM Data Governance Policy
- Asset information must be maintained in systems of record approved by UM IT
4.2 Initial Security Assessment
New or significantly modified systems must undergo an initial security assessment prior to processing production data, which includes:
- Registration in the asset inventory
- Secure configuration review based on vendor guidance and CIS benchmarks
- Vulnerability scanning appropriate to system type and exposure
High or Critical vulnerabilities identified during initial assessment must be addressed prior to production use unless an approved exception is granted.
4.3 Continuous Vulnerability Scanning
The University must conduct ongoing vulnerability scanning to identify newly discovered or emerging risks.
- Enterprise scanning must be performed by authorized Information Security Operations personnel
- Scanning must include network devices, servers, web applications, endpoints, and IoT devices where applicable
- Vulnerability scanning for externally hosted systems may be conducted by vendors, subject to contractual agreement and evidence review
Identified vulnerabilities must be addressed using one or more of the following risk response strategies:
Remediation — Applying patches, configuration changes, or system updates.
Mitigation — Implementing compensating controls to reduce exploitability.
Acceptance — Documented acceptance of residual risk through the exception process.
Avoidance — Decommissioning or replacing vulnerable systems.
Risk acceptance decisions must be documented and approved by the appropriate authority.
The University adopts CVSS-based remediation targets as default expectations, subject to documented exception where necessary.
| Severity |
CVSS Score |
Externally Exposed |
Internally Exposed |
Cloud Hosted |
| Critical |
9.0–10.0 |
8 days |
14 days |
8 days |
| High |
7.0–8.9 |
8 days |
30 days |
8 days |
| Medium |
4.0–6.9 |
30 days |
30 days |
30 days |
| Low |
0.1–3.9 |
60 days |
90 days |
60 days |
These timeframes represent default targets, not absolute mandates. When remediation within these targets is not feasible, a documented exception or alternative risk treatment must be pursued.
4.6 Enforcement and Escalation
When vulnerabilities are not addressed within established targets and no approved exception exists:
- Systems may be subject to additional restrictions or compensating controls
- Risk may be escalated to appropriate management or governance bodies
- Persistent or systemic issues may be reported to executive leadership
The University reserves the right to isolate, restrict, or otherwise limit system exposure as necessary to manage institutional risk.
5. Reporting and Metrics
The Vulnerability Management program must include:
- Regular reporting of vulnerability status and trends
- Metrics to support risk-informed decision-making
- Escalation reporting for unresolved Critical and High vulnerabilities
Key performance indicators may be provided to executive leadership to support oversight and governance.
6. Risk Register Integration
Vulnerabilities that cannot be remediated within acceptable timeframes must be documented in the institutional risk register for visibility, prioritization, and tracking.
7. Exceptions
Exceptions to this Standard must:
- Be formally documented
- Include risk rationale and compensating controls
- Be approved by the CISO or designee
- Be reviewed periodically
8. Review and Maintenance
This Standard must be reviewed at least annually by the UM Information Security Office and updated as necessary to reflect changes in risk, technology, or regulatory requirements.
9. References
- UM Information Security Policy
- UM Data Governance Policy
- NIST Cybersecurity Framework (CSF) 2.0
- NIST National Vulnerability Database (NVD)
- Center for Internet Security (CIS) Benchmarks