Threat and Vulnerability Management | St. George's University

Threat and Vulnerability Management

July 31, 2018

Purpose

The purpose of this policy is to establish guidance around St. George’s University, University Support Services, and any other operating units of Medforth Global Healthcare Education Group LP identified by management (collectively, the Enterprise) Threat and Vulnerability activities. This policy outlines requirements for identification, assessment, and mitigation of threats to the Enterprise’s systems, and vulnerabilities within those systems. This document mandates the operational procedures required, including vulnerability scanning and assessment, patch management, and threat intelligence gathering.

Scope

This policy applies to all Enterprise systems and data.

Background

The Enterprise is committed to a secure information technology environment in support of its mission and recognizes the need to identify and manage security threats and vulnerabilities. The Enterprise’s Risk Management Policy authorizes the Risk Management Team to make informed decisions about managing security risks by gathering risk data from multiple sources. That team relies, in part, on Enterprise’s Threat and Vulnerability Management efforts as a source of risk information.

Definitions

  • Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
  • Vulnerability: Any weakness in an information system, system procedures, internal controls, or implementation that can be exploited or triggered by a threat source.
  • Vulnerability Scanning: A technique used to identify devices, device attributes, and associated vulnerabilities.
  • Vulnerability Analysis: Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.
  • Penetration Testing: Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network, often involving issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers.
  • Patch Management: The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.
  • Threat Intelligence: The aggregation of knowledge about prominent and emerging security exploits that can be used to inform decisions about how to expand and improve SGU’s overall security program.
  • Indicators of Compromise (IOC): Artifacts that are observed on a network or in an operating system that increases confidence that the network or system has been compromised by a threat actor. These include virus signatures and Internet Protocol (IP) addresses, MD5 message-digest algorithm hashes of malware files or Uniform Resource Locators (URL) or domain names of botnet command and control servers.

Roles and Responsibilities

  • The Office of Information Technology:
    The Office of Information Technology (IT) is responsible for vulnerability management efforts, including vulnerability scanning and criticality assessment.
  • Security Division:
    The Security Division of IT is responsible for threat intelligence gathering efforts, including the monitoring of global services and forums who provide updates on prominent and growing security threats.
  • Business Owners:
    Business owners are responsible for understanding and serving as the point-of-contact for, specific assets within the Enterprise’s technological environment.
  • Contractors and Third Parties:
    All contractors and third-party vendors are responsible for notifying the Enterprise of any vulnerabilities in their products when they are discovered. As applicable, they are also responsible for providing patches for identified vulnerabilities in their devices/software, including support for necessary operating system upgrades.

Policy Statement

Threat Intelligence
Threat intelligence refers to the process of gathering and analyzing information about prevalent or newly discovered attacks or exploits. The Enterprise’s Security Division must maintain a body of sources for threat intelligence gathering. These sources can include paid services from threat intel providers, or free threat intel forums and communities available on the internet. Gathered threat intelligence should highlight commonly targeted devices and newly discovered Indicator of compromises (IOCs). Reports on gathered intelligence should be passed periodically to IT and the Risk Management Team and reported IOCs should be used to inform any security monitoring activities.

Vulnerability Scanning
The Enterprise’s IT will conduct regular vulnerability scans to identify security gaps in the Enterprise’s devices and network. These scans will report on any identified vulnerabilities and assign them a criticality level and a Common Vulnerability Scoring System (CVSS) Base Score. Levels and recommended remediation windows for Base Score ranges are described in the table below. Based on these reported CVSS scores and knowledge of the Enterprise’s technological environment, IT is responsible for prioritizing the identified vulnerabilities. For identified vulnerabilities that cannot be remediated, IT is also responsible for providing options for mitigation and reporting those options to the Risk Management Team.

Criticality Level CVSS Base Score Range Remediation Window
Critical 9.0-10.0 Not to exceed 7 days or shortest possible window
High 7.0-8.9 Not to exceed 30 days or shortest possible window
Medium/Moderate 4.0-6.9 Not to exceed 90 days or shortest possible window
Low/Informational 0.1-3.9 Determined on a case by case basis

Patch Management
The Enterprise’s IT is also responsible for the patching of all systems. Based on the prioritization described above, IT must regularly apply patches to systems with the most critical vulnerabilities to mitigate the threat of exploitation. Information for all applied patches must be tracked, including patch version, patched devices, and the date and time of patching.

Penetration Testing
Penetration testing shall be performed regularly both internally and by a third-party, and any additional vulnerabilities identified by penetration testing should be handled by IT as part of vulnerability management.

Related Documents