VULNERABILITY MANAGEMENT POLICY
Policy Objective
This policy is to ensure the discovery, review, evaluation, and treatment of vulnerabilities in the systems that utilize, house, or interact with Parkland College data.
Scope
All individuals with responsibility for managing Parkland College's information assets, as well as all the information assets belonging to Parkland College.
Policy
Section 1 – Endpoints
-
Endpoints must be evaluated regularly for vulnerabilities.
-
Vulnerabilities identified must be evaluated for risk and remediated, mitigated, or treated in a timely manner.
-
Endpoints must have systems in place to mitigate threats from viruses, malware, and other malicious software.
-
Endpoints must be monitored for signs of malicious activity and action taken to remediate, as appropriate.
Section 2 – Servers and Networks
-
Servers must be regularly scanned for vulnerabilities using the most comprehensive means available.
-
Vulnerabilities identified must be evaluated for risk and remediated, mitigated, or treated in a timely manner.
-
Servers and Network devices must have appropriate protections applied commensurate with risk profile and are subject to change control.
-
Network architecture must be routinely reviewed for potential weaknesses and vulnerabilities.
-
Network devices must be evaluated for vulnerability and appropriate measures applied to protect them.
Section 3 – Scanning and Penetration Testing
-
Comprehensive vulnerability scans of the internal and external network must be conducted regularly.
-
Comprehensive third-party penetration testing must be performed at a cadence advised by the current threat landscape and associated risks.
-
Vulnerabilities and weaknesses identified during the scanning or penetration testing processes shall be prioritized and treated based on their severity and risk.
Section 4 – Patch Management
-
Reasonable measures must be taken to ensure that all systems and software in use at Parkland College are kept up to date.
-
All information assets must be scanned on a regular basis to identify missing patches and updates.
-
Missing patches and updates that pose an unacceptable risk to Parkland College information assets and resources must be implemented within a period that is commensurate with the risk as determined by the Vulnerability and Patch Management Standard.
-
Wherever possible, software updates and configuration changes applied to information assets must be tested prior to broad implementation and must be implemented in accordance with the Parkland College Change Management Policy.
Standards
ISP-06 - Vulnerability and Patch Management Standard (login required)