Introduction
Vulnerability and Patch Management—the practice of identifying, classifying, remediating, and mitigating vulnerabilities—is a critical component of PSU’s information security strategy. This standard defines the minimum requirements for vulnerability management on all PSU information technology systems.
Purpose and Applicability
Vulnerability management is a fundamental part of the PSU information technology (IT) landscape. It is essential for the maintenance and management of all information technology assets. This includes identifying and addressing version or configuration flaws, as well as weaknesses that may affect endpoints, networking hardware, or any other systems that hosts or accesses restricted or confidential data.
Definitions
Term | Definition |
| Administrative Controls | Policies, procedures, or guidelines that define personnel or business practices to meet specified security objectives. |
| Application Administrator | An individual tasked with the management and/or maintenance of a cloud or server application. This person is generally the technical point of contact for the end users of the application and/or a vendor. |
| Common Vulnerabilities and Exposures (CVE) | In vulnerability management, a CVE (Common Vulnerabilities and Exposures) is a standardized name for a known cybersecurity vulnerability. It acts as a unique identifier for a specific security flaw, helping security professionals share information and coordinate efforts to address the vulnerability. |
| Common Vulnerability Scoring System (CVSS) | The Common Vulnerability Scoring System (CVSS) is a standardized framework used to assess and communicate the severity of security vulnerabilities. It assigns a numerical score (from 0 to 10) to each vulnerability, helping organizations prioritize remediation efforts based on potential impact. |
| Compensating Controls | Alternative security measures implemented when the prescribed technical controls or administrative controls cannot be applied, which provide an equivalent or greater level of protection than the original controls. |
| CVE Numbering Authority (CNA) | A CVE Numbering Authority (CNA) is an organization authorized by the CVE Program to assign CVE identifiers to new vulnerabilities and publish related information. |
| Device Custodian | The PSU employee who is managing the device or otherwise assigned the device. |
| Endpoint | A physical or virtual device that connects to a PSU network including both physical and virtual desktops, laptops, printers, servers, and mobile and IoT devices. |
| ExPRT.AI Rating | The ExPRT (ExPRT.AI) Rating system is an AI-powered, dynamic vulnerability prioritization technology developed by CrowdStrike that surpasses traditional vulnerability scoring systems, such as CVSS, which provide static ratings. This dynamic approach continuously analyzes the evolving threat landscape by adjusting vulnerability ratings based on real-time exploit status and threat intelligence. |
| Managed Endpoint | A crucial process for maintaining a stable work and learning environment while ensuring compliance with centrally managed network-connected devices. |
| Technical Controls | Prescribed settings and controls applied to endpoints to meet specified security standards, including settings for user access, encryption, logging, and software restrictions. |
| Vulnerability Management | The process of identifying, assessing, prioritizing, and remediating security vulnerabilities in PSU endpoints. |
| Vulnerability Mitigation | Mitigation refers to taking steps to reduce the likelihood or impact of a potential risk, usually before a remediation is available. Oftentimes, this is a temporary measure until a remediation is available. |
| Vulnerability Remediation | Remediation usually involves correcting or fixing an existing vulnerability by changing code and/or applying a software update. This usually results in a permanent solution for the vulnerability, though not always. |
Standards and Procedures
All networked information systems and applications must be scanned for vulnerabilities, and identified vulnerabilities must be remediated according to the schedule outlined in this standard. The Information Security Team, Endpoint Engineering Team, and the Vulnerability Management Working Group administer the vulnerability management program, as well as the processes and tools that support it.
Product Vulnerability Monitoring Responsibilities
Q: Who is responsible for monitoring for new vulnerabilities?
Operating System, Application, and networked hardware administrators should sign up for notifications for the vendor products used in their service operations to receive email about new product vulnerabilities and regularly monitor PSU’s CrowdStrike Vulnerability Management console.
Q: Who is responsible for mitigating and remediating vulnerabilities?
Operating System, Application, and networked hardware administrators are responsible for monitoring, ticketing, applying temporary mitigations, and remediating vulnerabilities in the products they administer.
The Information Security Team has access to confidential notification services that provide timely warnings regarding emergent vulnerabilities and will share them with the appropriate teams.
This table provides the various sources from which we receive vulnerability information.
| Source | Primary | Secondary |
| CISA's Known Exploited Vulnerabilities (KEV) list | OIT Information Security Team | Application Administrators |
| Federal Agency Bulletins | OIT Information Security Team | N/A |
| ISAC reports of active exploitation | OIT Information Security Team | Application Administrators |
| Vendor Notifications | System and Application Administrators | OIT Information Security Team |
| CrowdStrike Vulnerability Management | System and Application Administrators | OIT Information Security Team |
| Other Media Coverage | OIT Information Security Team | Application Administrators |
| Discovered Application Misconfiguration | System and Application Administrators | Application Administrators |
Minimum Response Time to Vulnerabilities
Vulnerabilities in endpoints or applications must be evaluated and mitigated or remediated within standard timeframes that depend on their ExPRT ratings and CVSS Base Scores:
| Severity Rating | ExPRT Rating | CVSS Base Score | Evaluated Within | Mitigated or Remediated Within |
| Presence in CISA KEV list, or other credible intelligence | Critical | Any | 24 hours | ASAP, no more than 7 days |
| Critical | High | 9.0-10.0 | 24 hours | ASAP, no more than 7 days |
| High | Medium/High | 7.0-8.9 | 7 days | 14 days |
| Medium | Medium | 3.0-6.9 | 14 days | 28 days |
| Low | Low/Medium | 0.0-2.9 | 28 days | 45 days |
Compensating Controls and Exceptions Approval
If a vulnerable system or application cannot be patched or reconfigured within the prescribed time period, a ticket should be placed via the IT Security Consultation Form seeking consultation in developing or approval of compensating controls to mitigate the risks associated with a particular vulnerability.
If a compensating control is implemented, there may still be an alert for a vulnerability being present. This would warrant hiding the alert for a short period of time to review other open vulnerabilities. Teams should only suppress alerts within their own team’s dashboard as to not hide the vulnerability for the rest of IT.
Related Policies, Procedures, and Information
The controls specified in this standard may be augmented, substituted with compensating controls, or otherwise modified by a security plan duly authorized by the Information Security Team (SEC) and agreed to by the Device Custodian.
Point of Contact
Contact the OIT Information Security Team at help-security@pdx.edu or the OIT Vulnerability Management Working Group with questions, comments, or concerns about this PSU standard.