IT Vulnerability Management Standard

I. Purpose

This Standard supports and supplements FSU Technology Policies and provides additional security and privacy best practices. It establishes a framework for identifying, assessing, and remediating vulnerabilities on devices connected to FSU networks and the requirements for compliance. Vulnerabilities within networks, software applications, and operating systems, often as a result of server or software misconfigurations, improper file settings, unpatched systems, or outdated software versions, are a significant threat to the network and other IT resources.

Standards will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances. All users are required to comply with FSU policies or obtain an exception in accordance with the Request for Exception to IT Security Policy.

II. Definitions

Authenticated Scan – An authenticated scan obtains accurate vulnerability information on assets by authenticating with the required level of system access to obtain detailed and accurate information about the operating system and installed software.

Compensating Control – a temporary solution mechanism that is put in place to manage a security risk and meet a security objective that is otherwise deemed impractical to implement at the present time. Compensating controls should only be considered when a specific security requirement or security control objective cannot be met due to legitimate technical or documented business or legal constraints. Compensating controls are required to sufficiently manage or mitigate the risk associated with the vulnerability through implementation of other alternative controls.

Consolidated University Unit – a consolidated group of related university units that has management authority and responsibility for compliance with IT policies, standards, and guidelines.

Information Security Incident – a suspected, attempted, successful, or imminent threat of unauthorized access, use, disclosure, breach, modification, or destruction of information; interference with information technology operations; or significant violation of responsible use policy.

IT Assets - technology resources including, but not limited to, computers, networks, servers, applications, databases, software, and operating systems that are owned by, managed by and/or sponsored by IT Asset Custodians.

Mitigation – a temporary solution to minimize a threat's negative impact when it cannot be eliminated.

Remediation – removing cybersecurity threat(s) by patching or fixing weaknesses that are detected in assets, networks, and applications.

Threat – any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Vulnerability – a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Full IT Glossary

III. Standard

FSU has adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity in conjunction with NIST 800-53 Controls as the foundation for a risk-based approach to cybersecurity management. The Cybersecurity Framework (CSF) Core uses common cybersecurity functions, activities, and desired outcomes to align university policy to the management of IT risk. The CSF Core leverages industry standards, guidelines, and practices to establish baseline expectations for cybersecurity for all university units.

Consolidated University Units (CUUs) are responsible for using this framework and controls to assess their unique risks, threats, vulnerabilities, and risk tolerances to determine an appropriate risk management plan that complies with FSU Technology Policies, Standards and Guidelines.

Controls supporting this Standard include, but are not limited to:

NIST Cybersecurity Framework and Controls

Function Category Desired Outcome
Identify (ID) Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized
Detect (DE) Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. DE.CM-4: Malicious code is detected
DE.CM-8: Vulnerability scans are performed
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. PR.IP-12: A vulnerability management plan is developed and implemented

Full CSF Crosswalk to Controls: NIST Crosswalk
*The above NIST chart describing Cybersecurity Framework and Controls and the link to other NIST Crosswalk principles and information in no way belongs to or is owned by Florida State University.

Roles and Responsibilities

Chief Information Security Officer (CISO) and Information Security and Privacy Office (ISPO)
The CISO directs the Information Security and Privacy Office (ISPO) for the University. The CISO reports to the CIO and the Provost and serves as both the CISO and the Chief Privacy Officer for FSU. The CISO and ISPO are responsible for enforcing the application of appropriate operational security controls necessary to mitigate risks associated with unauthorized disclosure, loss, or theft of university information.
Consolidated University Unit (CUU) Dean, Director, or Department Head (DDDH)
The Dean, Director, Department Head, or other managerial position responsible for protecting the confidentiality, availability, and integrity of university IT Assets within a CUU. The CUU DDDH has responsibility for ensuring IT security and privacy for the units within the CUU.
Consolidated University Unit (CUU) Information Security Manager (ISM)
The liaison designated by the CUU Dean, Director, or Department Head (DDDH) responsible for coordinating the CUU’s information security program. The CUU ISM is the central point of contact between the University Units and ISPO for security issues. CUU ISM responsibilities will be included in position descriptions.
University Unit Information Security Manager (ISM)
The liaison designated by a University Unit Dean, Director, or Department Head (DDDH) responsible for ensuring a university unit’s compliance with security IT policies, standards, and guidelines, in coordination with their designated CUU’s information security program.
IT Asset Custodian
An individual with responsibility for the configuration, implementation, management, monitoring, oversight, and day-to-day operations of university IT Assets. IT Assets include but are not limited to enterprise or distributed networks, servers, applications, databases, and operating systems.

For more information, see IT Roles and Responsibilities.

Vulnerability Management Program

IT systems, applications, infrastructure, and data must be properly secured to protect against data breaches, exploits and other cybersecurity vulnerabilities that could pose significant consequences for the university. An effective Vulnerability Management Program (VMP) provides FSU with a strategic first line of defense aimed at identifying, evaluating, and remediating system and application vulnerabilities that could allow unauthorized access or malicious exploitation by intruders.

Cybersecurity vulnerabilities are security flaws in software, hardware, or configuration of information technology (IT) resources that, if exploited, would result in a negative impact to the confidentiality, integrity, or availability of FSU data, the network, or IT resources and infrastructure. Data breaches impose significant risks, including, but not limited to, identity theft, reputational damage, compromise of confidential data, and resulting legal ramifications.

Vulnerability management includes the regular practice of scanning, classifying and remediating vulnerabilities associated with FSU IT systems, devices, software, and the university's network. ISPO is responsible for FSU’s vulnerability management program and for mitigation of security risks to an acceptable level. ISPO monitors for malicious activity and issue alerts and advisories about known vulnerabilities. Recommended remediation may be provided based on information received from trusted information security sources. Systems or applications that pose a potential threat to FSU’s IT resources may be blocked from the network.

CUU and University Unit ISMs are responsible for ensuring the vulnerability management program for the CUU/University Units. Asset Custodians are required to identify and document all IT resources they are responsible for managing and implement an effective vulnerability management program to protect them, including patch management, current anti-virus protection, etc. (See Security Configuration Management Standard). This includes resources managed through third-party vendor agreements.

Vulnerability Management Requirements

The CUU DDDH is responsible for reporting the effectiveness of vulnerability and remediation activities for the CUU to ISPO and FSU senior management. CUU and University Unit ISMs are responsible for ensuring proper vulnerability management is implemented for the IT Assets within the CUU.

IT Asset Custodians are responsible for ensuring compliance with the following requirements for the IT Assets they manage:

  • IT Asset Custodians shall adopt and implement baseline, hardened configurations for all systems they are responsible for operating, managing, or supporting. See IT Security Configuration Management Standard.
  • IT Asset Custodians and IT Application Custodians are responsible for performing effective testing and for following a consistent internal change management process for configuration changes, as required by IT Security Configuration Management Standard.
  • All computers and other devices must have up-to-date security patches. IT Asset Custodians must develop and implement patch management processes to apply operating system and/or application security patch updates for the IT systems, devices, and applications they are responsible for managing.
  • End-of-support systems (systems no longer being issued patches or security updates in response to vulnerabilities) must be replaced by a supported system.
  • IT Asset Custodian(s) shall develop and implement a method to review vendor and third-party security alerts against configuration standards and installed patches. The output of this process shall be made available to ISPO upon request.
  • Anti-virus and anti-malware software are used to prevent known and likely malicious activities. All university workstations and other devices must have up to date anti-virus and anti-malware installed and functioning to protect against these vulnerabilities. Failure to do so may result in revocation of network access.
  • Devices shall be configured to take advantage of the FSU-provided network malware filtering (Umbrella).
  • All devices that connect to FSU's network must be configured as required to ensure participation in the FSU Enterprise Endpoint Detection and Response program.
  • Asset Custodians shall not disable enterprise security controls without an obtaining an approved exception in accordance with the Request for Exception to IT Security Policy.
  • Vulnerabilities related to the coding of custom applications must be addressed as required by the Application Secure Coding Standard.
  • ISPO vulnerability alerts must be investigated, verified and resolved as directed by the alert.

Vulnerability Scanning

Properly configured vulnerability scanning identifies software vulnerabilities, missing system patches, and improper configurations. Regular vulnerability scanning, along with the timely and consistent application of vendor-supplied security patches or other remediation of a reported vulnerability, are critical components in protecting the FSU’s network, systems, and data from damage or loss, as well as meeting regulatory, compliance, and contractual requirements.

All FSU systems and applications are required to be scanned for vulnerabilities using the ITS-provided Vulnerability Management system. IT Asset Custodians shall implement authenticated scans to ensure that scan results are accurate/complete and reduce the likelihood that certain vulnerabilities would otherwise be missed or overlooked. If units determine that authenticated scans cannot be implemented, or if there is substantial risk associated with running authenticated vulnerability scans, the unit is required to submit a Request for Exception to Security Policy. Devices that are auto updated by the vendor or not under the control of FSU shall also be monitored by to ensure security updates are applied in a timely fashion.

Vulnerability assessments will be conducted:

  • at the completion of the operating system installation
  • at the completion of the installation of any vendor-provided or in-house developed application
  • just prior to moving the IT Asset into production
  • at the completion of an image or template designed for deployment of multiple devices
  • for vendor-provided information systems, prior to user acceptance testing and again before moving into production

Vulnerability Scanning Frequency
All users are responsible for maintaining compliance with this Standard which establishes minimum baseline requirements for managing cybersecurity vulnerabilities. IT Asset Custodians or their delegated IT Asset Managers are required to scan their FSU systems and applications for vulnerabilities on at least a monthly basis. Systems, databases, or applications that maintain, process, transmit, or store High Risk or Moderate Risk data, as defined by the Data Security Standard, may have additional requirements.

Additional timeframe requirements for remediating or mitigating vulnerabilities apply for data classified as High Risk or Moderate Risk Data. At their discretion, CUUs may adopt and implement stricter standards based upon the IT systems, data, and information they are responsible for managing.

Vulnerability Classification

Remediation must be prioritized based on the degree of associated severity and the impact on the confidentiality, integrity, or availability of the vulnerable system. Vulnerability severity is based on the industry-standard NIST Common Vulnerability Scoring system (CVSS).

Critical Risk Vulnerabilities
Loss of system or data (Confidentiality, Integrity, Availability) is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization, e.g., students, faculty, and staff. Exploit development has reached the level of reliable, widely available, easy- to-use automated tools. Flaws could be easily exploited by an unauthenticated (or authenticated) remote attacker and lead to system compromise (arbitrary code execution) without requiring user interaction. CVSS Base Score 9.0-10.0.

High Risk Vulnerabilities
Loss of system or data (Confidentiality, Integrity, Availability) is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). Functional exploit code is available. The exploit code works in most situations where the vulnerability exists. These types of vulnerabilities allow local users to gain privileges, allow unauthenticated, remote users to view resources that should otherwise be protected by authentication, allow authenticated remote users to execute arbitrary code, or allow remote users to cause a denial of service. CVSS Base Score 7.0-8.9.

Moderate Risk Vulnerabilities
Loss of system or data (Confidentiality, Integrity, Availability) is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). This rating is given to flaws that may be more difficult to exploit but could still lead to compromise under certain circumstances. These are the types of vulnerabilities that could have a critical or important impact but are less easily exploited based on a technical evaluation of the flaw or affect or require an unlikely configuration. CVSS Base Score 4.0-6.9.

Low Risk Vulnerabilities
Loss of system or data (Confidentiality, Integrity, Availability) is likely to have only a very limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). These are the types of vulnerabilities that are believed to require unlikely circumstances to be able to be exploited, or where a successful exploit would cause either no adverse effects or result in only very minimal adverse consequences. CVSS Base Score 0.1-3.9.

Vulnerability Remediation

Assessment of identified vulnerabilities provides visibility into the vulnerability of systems and hosted applications deployed on the FSU network. After confirming the vulnerability scan results applicable to their systems, CUUs/University Units are responsible for addressing the risks presented by such vulnerabilities, through implementation of required vulnerability risk remediation strategies. Where possible, units are required to permanently resolve the risks associated with the vulnerability through implementation of permanent fixes that will usually include installation of vendor security patches and/or configuration changes. Permanent fixes also may require changes to unit-specific policies and procedures. All changes must be documented and made available for ISPO review upon request.

If a vendor security patch or configuration change is not available to permanently resolve the risk associated with the vulnerability, CUUs will be required to develop and implement compensating controls, which are applied at the network, IT system, and/or application level. The controls are required to mitigate the risks of the vulnerability and shall be consistently implemented until a permanent remediation is implemented. All compensating controls used to mitigate risks must be documented as part of a Request for Exception to IT Security Policy.

Remediation Strategies

  • Perform monthly authenticated scans.
  • Create hardened images/templates for use in building and deploying new servers/workstations.
  • Patch the software or service and develop a continuous remediation process.
  • Implement configuration changes using security features within the application, operating system, other software, and/or infrastructure to further reduce the attack surface.
  • Adopt a strategy to only allow/install required services that are needed on the device.
  • Remove or disable the software or services that are not needed, if possible.
  • Perform follow-up scans after remediation activity to verify remediation is complete and the vulnerability no longer exists.

Remediation Timeframe Requirements
The vulnerability risk remediation lifecycle can be summarized to include three stages: identification/detection; risk assessment; and remediation planning and implementation. Vulnerabilities that put High Risk data, Moderate Risk data or mission critical systems at risk, or are related to missing security patches are a priority and have the shortest timeframe for implementing recommended remediation.

The remediation timeframe associated with a known vulnerability begins once the vulnerability has been identified using the results from the monthly authenticated vulnerability scans, vendor-published security vulnerability information or security patch installation requirements. The Resolution Requirement is the number of days from identification to remediation.

Identified vulnerabilities shall be remediated in accordance with the timeframe described below. If remediation is not possible, compensating controls must be implemented to mitigate the risk and approved by ISPO, as defined by the Request for Exception to IT Security Standard.

CVSS Level Resolution
Critical/High (Known Exploits) – CVSS (7.0 - 10) 30 days
Moderate – CVSS (4.0 - 6.9) 90 days
Low – CVSS (0.1 - 3.9) 120 days

ISPO may issue notifications with reduced remediation windows in cases of large-scale emerging threats that are actively leveraging exploits against systems with Critical and High vulnerabilities. The CISO may also quarantine or disconnect any system or device from the University network, as defined by the IT Network Security Standard.

False Negatives, False Positives Or Not Applicable Results

False Negatives
CUUs/University Units are responsible for ensuring vulnerability scans are not hindered due to inadequate access to the systems, applications, and devices being scanned. This will cause inaccurate and/or incomplete results to be produced. Authenticated scans shall be utilized to ensure that scans analyze the entire system and produce accurate and comprehensive results. Without required access levels, scan results may produce 'false negative' results which provide an inaccurate picture of the security posture of the system or device being scanned.

False Positives or Not Applicable Results
If the identified vulnerability is believed to be a false positive, or is otherwise believed not applicable, the following information is required to be concisely documented within the ITS vulnerability scanning system and made available for ISPO review:

  • The affected system(s) and vulnerability.
  • The plugin/service/software causing the false positive.
  • Information/processes used to confirm the vulnerability is, in fact, a false positive or not applicable.

Incident Reporting

Incidents occur when an FSU student, staff, contractor, or faculty member violates this Standard, specific legal requirements, or contractual obligations. It is the responsibility of each FSU student, staff, contractor, or faculty member to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO) at The CUU ISM or University Unit ISM must inform the CISO of any suspected or confirmed incidents within 24 hours. Refer to the IT Incident Response Standard for more information.

IV. Additional Resources

ITS Patch Management Service:

Common Vulnerability Scoring System (CVSS) Specification:

CERN Computer Security Baselines:

Center for Internet Security (CIS) Security Benchmarks:

Microsoft Security Compliance Toolkit:

Cisco Security Baselines (IOS, Network, Switching, Routing):

V. References

Back to Top | Back to Standards