Vulnerability Management Standard

Introduction

Vulnerability and Patch Management—the practice of identifying, classifying, remediating, and mitigating vulnerabilities—is a critical component of PSU’s information security strategy. This standard defines the minimum requirements for vulnerability management on all PSU information technology systems.

Purpose and Applicability

Vulnerability management is a fundamental part of the PSU information technology (IT) landscape. It is essential for the maintenance and management of all information technology assets. This includes identifying and addressing version or configuration flaws, as well as weaknesses that may affect endpoints, networking hardware, or any other systems that hosts or accesses restricted or confidential data.

Definitions
 

Term

Definition

Administrative ControlsPolicies, procedures, or guidelines that define personnel or business practices to meet specified security objectives.
Application AdministratorAn individual tasked with the management and/or maintenance of a cloud or server application. This person is generally the technical point of contact for the end users of the application and/or a vendor.
Common Vulnerabilities and Exposures (CVE)In vulnerability management, a CVE (Common Vulnerabilities and Exposures) is a standardized name for a known cybersecurity vulnerability. It acts as a unique identifier for a specific security flaw, helping security professionals share information and coordinate efforts to address the vulnerability.
Common Vulnerability Scoring System (CVSS)The Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess and communicate the severity of security vulnerabilities. It assigns a numerical score (from 0 to 10) to each vulnerability, helping organizations prioritize remediation efforts based on potential impact.
Compensating ControlsAlternative security measures implemented when the prescribed technical controls or administrative controls cannot be applied, which provide an equivalent or greater level of protection than the original controls.
CVE Numbering Authority (CNA)A CVE Numbering Authority (CNA) is an organization authorized by the CVE Program to assign CVE identifiers to new vulnerabilities and publish related information.
Device CustodianThe PSU employee who is managing the device or otherwise assigned the device.
EndpointA physical or virtual device that connects to a PSU network including both physical and virtual desktops, laptops, printers, servers, and mobile and IoT devices. 
ExPRT.AI RatingThe ExPRT (ExPRT.AI) Rating system is an AI-powered, dynamic vulnerability prioritization technology developed by CrowdStrike that surpasses traditional vulnerability scoring systems, such as CVSS, which provide static ratings. This dynamic approach continuously analyzes the evolving threat landscape by adjusting vulnerability ratings based on real-time exploit status and threat intelligence.
Managed EndpointA crucial process for maintaining a stable work and learning environment while ensuring compliance with centrally managed network-connected devices.
Technical ControlsPrescribed settings and controls applied to endpoints to meet specified security standards, including settings for user access, encryption, logging, and software restrictions.
Vulnerability ManagementThe process of identifying, assessing, prioritizing, and remediating security vulnerabilities in PSU endpoints.
Vulnerability MitigationMitigation refers to taking steps to reduce the likelihood or impact of a potential risk, usually before a remediation is available. Oftentimes, this is a temporary measure until a remediation is available.
Vulnerability RemediationRemediation usually involves correcting or fixing an existing vulnerability by changing code and/or applying a software update. This usually results in a permanent solution for the vulnerability, though not always.

Standards and Procedures 

All networked information systems and applications must be scanned for vulnerabilities, and identified vulnerabilities must be remediated according to the schedule outlined in this standard. The Information Security Team, Endpoint Engineering Team, and the Vulnerability Management Working Group administer the vulnerability management program, as well as the processes and tools that support it.

Product Vulnerability Monitoring Responsibilities

Q: Who is responsible for monitoring for new vulnerabilities?
Operating System, Application, and networked hardware administrators should sign up for notifications for the vendor products used in their service operations to receive email about new product vulnerabilities and regularly monitor PSU’s CrowdStrike Vulnerability Management console.

Q: Who is responsible for mitigating and remediating vulnerabilities? 
Operating System, Application, and networked hardware administrators are responsible for monitoring, ticketing, applying temporary mitigations, and remediating vulnerabilities in the products they administer.

The Information Security Team has access to confidential notification services that provide timely warnings regarding emergent vulnerabilities and will share them with the appropriate teams.

This table provides the various sources from which we receive vulnerability information.

SourcePrimarySecondary
CISA's Known Exploited Vulnerabilities (KEV) list OIT Information Security TeamApplication Administrators
Federal Agency BulletinsOIT Information Security TeamN/A
ISAC reports of active exploitationOIT Information Security TeamApplication Administrators
Vendor NotificationsSystem and Application AdministratorsOIT Information Security Team
CrowdStrike Vulnerability ManagementSystem and Application AdministratorsOIT Information Security Team
Other Media CoverageOIT Information Security TeamApplication Administrators
Discovered Application MisconfigurationSystem and Application AdministratorsApplication Administrators

Minimum Response Time to Vulnerabilities

Vulnerabilities in endpoints or applications must be evaluated and mitigated or remediated within standard timeframes that depend on their ExPRT ratings and CVSS Base Scores:

Graph representing the Time to Remediate based on CVSS score and ExPRT rating. With days to remediate ranging from 0 to 60 and CVSS score ranging from 0.0 low to 10.0 critical.

 

Severity RatingExPRT RatingCVSS Base ScoreEvaluated WithinMitigated or Remediated Within
Presence in CISA KEV list, or other credible intelligenceCriticalAny24 hoursASAP, no more than 7 days
CriticalHigh9.0-10.024 hoursASAP, no more than 7 days
HighMedium/High7.0-8.97 days14 days
MediumMedium3.0-6.914 days28 days
LowLow/Medium0.0-2.928 days45 days

Compensating Controls and Exceptions Approval

If a vulnerable system or application cannot be patched or reconfigured within the prescribed time period, a ticket should be placed via the IT Security Consultation Form seeking consultation in developing or approval of compensating controls to mitigate the risks associated with a particular vulnerability.  

If a compensating control is implemented, there may still be an alert for a vulnerability being present. This would warrant hiding the alert for a short period of time to review other open vulnerabilities. Teams should only suppress alerts within their own team’s dashboard as to not hide the vulnerability for the rest of IT.

Related Policies, Procedures, and Information

The controls specified in this standard may be augmented, substituted with compensating controls, or otherwise modified by a security plan duly authorized by the Information Security Team (SEC) and agreed to by the Device Custodian.

Point of Contact

Contact the OIT Information Security Team at help-security@pdx.edu or the OIT Vulnerability Management Working Group with questions, comments, or concerns about this PSU standard.

 

Approver: CIO, Office of Information Technology

Owner: CISO, Office of Information Technology

Date: Originally Approved: July 31, 2025 
Last Revised:  n/a