Enterprise Vulnerability Management Standard

Enterprise Vulnerability Scanning Standard

Vulnerability scanning is an automated or on-demand task that identifies software vulnerabilities, missing system patches, and improper configurations.

Regular vulnerability scanning along with the timely and consistent application of vendor-supplied security patches or other mitigation of a reported vulnerability are critical components in protecting the university network, systems, and data, from damage or loss as well as meeting regulatory and compliance requirements. Products that no longer receive security updates from the vendor are not authorized for use on UM networks.

Vulnerability assessment provides visibility into the risk of systems and hosted applications deployed on the university network. Used effectively, vulnerability management helps to ensure that software, settings, and security configurations are kept up to date. Furthermore, systemic weaknesses or deficiencies can be detected by patterns or trends identified in scans of the campus network.

Servers connected to the university's network must be scanned using a vulnerability management service approved collectively by the university's Information Security Officers (ISO) and Chief Information Security Officer (CISO).

The information security office at each business unit is responsible for documenting procedures to:

1. Enroll servers in the Enterprise Vulnerability Scanning (EVS) service. The University currently provides this service using Qualys
2. Ensure scans are conducted on schedule
3. Develop/generate reports
4. Take appropriate action, as necessary, to protect information assets and infrastructure Such actions include, but are not limited to:
   • Scanning devices that appear to be causing disruptive behavior on the network to investigate the source of the disruption.
   • Removing systems experiencing an active exploit from the network until satisfactorily patched or remediated.
   • Requiring that administration of an exploited or vulnerable system be turned over to the central IT department if the system administrator is unable to correct the problem satisfactorily.

Vulnerability Scanning Frequency

Vulnerability scans should be run at least once a month, more frequently on request.  Centrally supported and managed servers may have a scanning frequency established by the server support team. If a department is managing its own server, it must be enrolled and scanned at least once a month, more frequently on request. The information security team may also scan the entire IP address ranges of University of Missouri networks to discover unenrolled and or other vulnerable systems. 

Vulnerability Prioritization

Remediation and mitigation should be prioritized based on the associated vulnerability severity and the impact on confidentiality, integrity, or availability of the vulnerable system(s). Vulnerability severity is currently determined by Common Vulnerability Scoring System (CVSS) scores* in conjunction with threat intelligence evaluated by the existing enterprise vulnerability scanning service. See Vulnerability Remediation Timeframes in the Patch Management Standard.

Additional evaluation of risk is necessary based on internal and external exposures on the university network and the public internet, and whether a working exploit is known and public. Where possible, multiple sources should be used to determine organizational risk. The university information security team monitors vulnerabilities and determines risk to the best of their ability. However, they cannot monitor every system on the network nor are they universal subject matter experts. Therefore, it is the responsibility of system administrators to be aware of and, if necessary, request help from vendors and/or the information security team regarding vulnerability and risk assessment on all their managed systems.

Risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations and assets, individuals, other organizations, and the Nation. Risk assessments also consider risk from external parties, including contractors who operate systems on behalf of the organization, individuals who access organizational systems, service providers, and outsourcing entities. Risk assessments can also address information related to the system, including system design, the intended use of the system, testing results, and supply chain-related information or artifacts. Supply chain-related events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices, and insertion of malicious code.

*Common Vulnerability Scoring System (CVSS)

A CVSS score of 7-10 is considered a high impact vulnerability, a CVSS score of 4-6.9 is considered a moderate impact vulnerability and a CVSS of 0-3.9 is considered a low impact vulnerability. For more information see NVD - Vulnerability Metrics (nist.gov).