Vulnerability Mitigation Policy
UCSB’s vulnerability management policy requires prompt mitigation of vulnerabilities rated by Mandiant Intelligence Risk Rating as Critical or High. Mandiant quantifies the risk and urgency of a vulnerability using CVSS ratings and threat intelligence information.
- Critical and High-rated vulnerabilities on publicly accessible devices must be mitigated within 14 days of their discovery date.
- Critical and high-rated vulnerabilities on internally accessible devices must be mitigated within 30 days of their discovery date.
Vulnerabilities still present after this time are subject to immediate quarantine (blocking) on the network.
Vulnerability Risk Exceptions
In some situations, vulnerable systems can not be patched. In these situations, a Risk Exception Request may be requested when alternate mitigation or mitigations have been employed, documented, and accepted by the hosting department and CISO as defined by system policy (IS-3).
A risk exception for a critical or high vulnerability on a system may exist for no longer than 12 months, at which point it may be extended upon confirmation from the hosting department that the same conditions exist as when the risk acceptance entry was created. Note that these risk exception entries do not prevent the system from being scanned; the risk exception entry creates an exception in the SLA for a specific vulnerability finding on a specific system during the acceptance period.
If a system owner believes a reported vulnerability results from a "false positive," they should submit a Risk Exception request with evidence about the false positive. A false positive is the detection of vulnerability when, in fact, no vulnerability exists. In this case, the SOC will investigate the report and, if appropriate, change the finding state to “False Positive.” The SOC will also regularly review false positive trends to determine if actions can be taken within the tooling to reduce or eliminate them. False positive exceptions, once granted, are persistent.
Some risk exceptions can be considered persistent, such as when the only mitigation for the vulnerability is a network-based ACL or firewall rule/security policy.
Scanner Access Policy
All devices connected to the university network must be “viewable” by the internal vulnerability scanner with the same access as other devices on the internal university network. Actions explicitly blocking the IP address or range of the internal vulnerability scanner are not permitted.
Scanning Agent Policy
As a part of UCSB’s responsibilities for comprehensive vulnerability management in the Cybersecurity Investment Plan, all university-owned devices (with Operating Systems that support Nessus Agents) must have an up-to-date Scanning Agent installed and configured to report to UCSB’s Tenable.io instance.
Related Policies
More information on relevant campus and systemwide policies can be found here:
- UCSB Network Citizenship
- UC IS-3: Electronic Information Security Policy
- UC Minimum Security Standard