Threat and Vulnerability Management

February 28, 2022

Purpose

The purpose of this policy is to establish guidance around St. George’s University and University Support Services (collectively the Enterprise), Threat and Vulnerability activities. This policy outlines requirements for identification, assessment, and mitigation of threats to the Enterprise’s systems, and vulnerabilities within those systems. This document mandates the operational procedures required, including vulnerability scanning and assessment, patch management, and threat intelligence gathering.

Scope

This policy applies to all Information Systems used throughout the Enterprise, whether managed centrally or in a distributed fashion.

Background

The Enterprise is committed to a secure information technology environment in support of its mission and recognizes the need to identify and manage security threats and vulnerabilities. The Enterprise’s Risk Management Policy authorizes the Risk Management Team to make informed decisions about managing security risks by gathering risk data from multiple sources. That team relies, in part, on Enterprise’s Threat and Vulnerability Management efforts as a source of risk information.

Definitions

  • Threat:Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
  • Vulnerability:Any weakness in an information system, system procedures, internal controls, or implementation that can be exploited or triggered by a threat source.
  • Vulnerability Scanning:A technique used to identify devices, device attributes, and associated vulnerabilities.
  • Vulnerability Analysis:Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
  • Penetration Testing:Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network, often involving issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers.
  • Patch Management:The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.
  • Threat Intelligence:The aggregation of knowledge about prominent and emerging security exploits that can be used to inform decisions about how to expand and improve SGU’s overall security program.
  • Indicators of Compromise (IOC):Artifacts that are observed on a network or in an operating system that increases confidence that the network or system has been compromised by a threat actor. These include virus signatures and Internet Protocol (IP) addresses, MD5 message-digest algorithm hashes of malware files or Uniform Resource Locators (URL) or domain names of botnet command and control servers.

Roles and Responsibilities

  • The Office of Information Technology: The Office of Information Technology (IT) is responsible for vulnerability management efforts, including vulnerability scanning and criticality assessment.
  • IT Security: IT Security is responsible for threat intelligence gathering efforts, including the monitoring of global services and forums who provide updates on prominent and growing security threats.
  • Business Owners: Business owners are responsible for understanding and serving as the point-of-contact for, specific assets within the Enterprise’s technological environment.

Policy Statement

Threat Intelligence
Threat intelligence refers to the process of gathering and analyzing information about prevalent or newly discovered attacks or exploits. IT Security must maintain a body of sources for threat intelligence gathering. These sources can include paid services from threat intel providers, or free threat intel forums and communities available on the internet. Gathered threat intelligence should highlight commonly targeted devices and newly discovered Indicator of compromises (IOCs).

Vulnerability Scanning
IT Security will conduct regular vulnerability scans to identify security gaps in the Enterprise’s devices and network. These scans will report on any identified vulnerabilities and assign them a generic vulnerability risk score.  It’s the responsibility of the IT Security team to assess these vulnerabilities and prioritize them based on risk to the Enterprise.

Patch Management
The Enterprise’s IT is also responsible for the patching of all systems. Based on the prioritization described above, IT must regularly apply patches to systems with the most critical vulnerabilities to mitigate the threat of exploitation. Information for all applied patches must be tracked, including patch version, patched devices, and the date and time of patching.

Penetration Testing
Penetration testing shall be performed regularly both internally and by a third-party, and any additional vulnerabilities identified by penetration testing should be handled by IT as part of vulnerability management.