Vulnerability Risk Ranking Procedure
Scope
Information Technology Services will use this process to identify and assign a risk ranking to newly discovered security vulnerabilities. The intention of this process is to ensure that the university keeps up-to-date with new vulnerabilities that may impact the computing infrastructure in general, and the high security (Credit Card Processing) environment in particular. While it is important to monitor vendor announcements for news of vulnerabilities and patches related to their products, it is equally important to monitor common industry vulnerability news groups and mailing lists for vulnerabilities and potential workarounds that may not yet be known or resolved by the vendor.
Purpose
When vulnerabilities are disclosed that could affect the university’s computing environment, the risk that vulnerability poses must be evaluated and ranked. This procedure outlines Loyola University Chicago’s method to evaluate vulnerabilities and assign risk rankings on a consistent basis.
The resulting processes deployed will be in support of and in compliance with the following legal and regulatory requirements:
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry (PCI) Data Security Standard (DSS)
Standards
Daily Vulnerability Identification Process
Vulnerabilities are identified by the University Information Security Office (UISO) using the following methods:
- Scouting new vulnerabilities and patches via web resources and email lists.
- Daily monitoring for new vulnerabilities that can impact the infrastructure.
- Evaluation of the vulnerability’s applicability to the environment.
- Implementation of a risk-based approach aimed at evaluating the actual threat that the vulnerability poses to the infrastructure.
- Aggregation of all information in a centralized gathering point
- Analysis of all collected information
- Alerting administrators of any critical vulnerability and/or available patch.
Bi-weekly Vulnerability Review Process
Representatives from each of the 14 functional areas of ITS meet on a bi-weekly basis to identify applicable vulnerabilities and patch information for the Loyola University Chicago infrastructure, and creates a centralized “knowledge pool” in which these are to be aggregated. Newly discovered vulnerabilities and developed patches are reviewed via a regular monitoring of common publishers of vulnerability information. The following sites are utilized to provide vulnerability information for review.
- http://www.us-cert.gov/cas/techalerts/
- http://tools.cisco.com/security/center/home.x
- http://nvd.nist.gov/
All information collected from the community sites, as well as from appropriate vendor sites, is collected and documented into a vulnerability knowledge pool, to increase efficiency in access and analysis. Functional area leads then perform an additional applicability review and provide a remediation plan or close the vulnerability when mitigated.
Vulnerability Analysis Process
The process used to assess vulnerability and patch information is based on the CVSS Score based on the NIST National Vulnerability Database Scoring System. The CVSS rating is a risk rating based on the combination of different variables such as the consequences of the vulnerability being exploited and the ease with which an attack attempt could succeed. The PCI-DSS standard uses the Common Vulnerability Scoring System (CVSS-SIG) to readily measure vulnerability risk, and considers any vulnerability ranked 4.0 or more as high risk that should be managed with the utmost priority.
CVSS Vulnerability Severity Ratings
NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores:
- Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0–3.9.
- Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0–6.9.
- Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0–10.0.
Other Analysis considerations
- Applicability: defining whether or not the alert applies to the Loyola University Chicago infrastructure.
- System Component positioning: defining whether or not the alert applies to a component in the High Security (Credit Card Processing) environment.
Vulnerability Notification Process
Based on the analysis, appropriate system and network administrators are notified of relevant patches and/or control procedures for the vulnerability’s mitigation. The UISO alerts the appropriate administrators of upcoming vulnerabilities via three different notification schemes, based on the priority rating assigned:
- High severity—As soon as possible
- Medium and Low—Monthly
Vulnerability notifications will be delivered via e-mail.
Exceptions
Exceptions to this process will be handled in accordance with the ITS Security Policy.
Review
This process will be maintained in accordance with the ITS Security Policy.
History and Updates
- Initial Policy Created: October 5, 2012
- PCI Compliance Review July 6, 2015
- Author: University Information Security Office (UISO)
- Version: 1.1
Scope
Information Technology Services will use this process to identify and assign a risk ranking to newly discovered security vulnerabilities. The intention of this process is to ensure that the university keeps up-to-date with new vulnerabilities that may impact the computing infrastructure in general, and the high security (Credit Card Processing) environment in particular. While it is important to monitor vendor announcements for news of vulnerabilities and patches related to their products, it is equally important to monitor common industry vulnerability news groups and mailing lists for vulnerabilities and potential workarounds that may not yet be known or resolved by the vendor.
Purpose
When vulnerabilities are disclosed that could affect the university’s computing environment, the risk that vulnerability poses must be evaluated and ranked. This procedure outlines Loyola University Chicago’s method to evaluate vulnerabilities and assign risk rankings on a consistent basis.
The resulting processes deployed will be in support of and in compliance with the following legal and regulatory requirements:
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry (PCI) Data Security Standard (DSS)
Standards
Daily Vulnerability Identification Process
Vulnerabilities are identified by the University Information Security Office (UISO) using the following methods:
- Scouting new vulnerabilities and patches via web resources and email lists.
- Daily monitoring for new vulnerabilities that can impact the infrastructure.
- Evaluation of the vulnerability’s applicability to the environment.
- Implementation of a risk-based approach aimed at evaluating the actual threat that the vulnerability poses to the infrastructure.
- Aggregation of all information in a centralized gathering point
- Analysis of all collected information
- Alerting administrators of any critical vulnerability and/or available patch.
Bi-weekly Vulnerability Review Process
Representatives from each of the 14 functional areas of ITS meet on a bi-weekly basis to identify applicable vulnerabilities and patch information for the Loyola University Chicago infrastructure, and creates a centralized “knowledge pool” in which these are to be aggregated. Newly discovered vulnerabilities and developed patches are reviewed via a regular monitoring of common publishers of vulnerability information. The following sites are utilized to provide vulnerability information for review.
- http://www.us-cert.gov/cas/techalerts/
- http://tools.cisco.com/security/center/home.x
- http://nvd.nist.gov/
All information collected from the community sites, as well as from appropriate vendor sites, is collected and documented into a vulnerability knowledge pool, to increase efficiency in access and analysis. Functional area leads then perform an additional applicability review and provide a remediation plan or close the vulnerability when mitigated.
Vulnerability Analysis Process
The process used to assess vulnerability and patch information is based on the CVSS Score based on the NIST National Vulnerability Database Scoring System. The CVSS rating is a risk rating based on the combination of different variables such as the consequences of the vulnerability being exploited and the ease with which an attack attempt could succeed. The PCI-DSS standard uses the Common Vulnerability Scoring System (CVSS-SIG) to readily measure vulnerability risk, and considers any vulnerability ranked 4.0 or more as high risk that should be managed with the utmost priority.
CVSS Vulnerability Severity Ratings
NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores:
- Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0–3.9.
- Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0–6.9.
- Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0–10.0.
Other Analysis considerations
- Applicability: defining whether or not the alert applies to the Loyola University Chicago infrastructure.
- System Component positioning: defining whether or not the alert applies to a component in the High Security (Credit Card Processing) environment.
Vulnerability Notification Process
Based on the analysis, appropriate system and network administrators are notified of relevant patches and/or control procedures for the vulnerability’s mitigation. The UISO alerts the appropriate administrators of upcoming vulnerabilities via three different notification schemes, based on the priority rating assigned:
- High severity—As soon as possible
- Medium and Low—Monthly
Vulnerability notifications will be delivered via e-mail.
Exceptions
Exceptions to this process will be handled in accordance with the ITS Security Policy.
Review
This process will be maintained in accordance with the ITS Security Policy.
History and Updates
- Initial Policy Created: October 5, 2012
- PCI Compliance Review July 6, 2015
- Author: University Information Security Office (UISO)
- Version: 1.1