Threat and vulnerability management control procedure
Defining the University’s approach to vulnerability management.
Threat and vulnerability management
Contents
Policy statement
This control procedure defines the university’s approach to threat and vulnerability management, and directly supports the following policy statement from the Information Security Policy:
“The university will ensure the correct and secure operations of information processing systems.”
“This will include documented operating procedures; the use of formal change and capacity management; controls against malware; defined use of logging; vulnerability management.”
“The university will use a combination of internal and external audits to demonstrate compliance against chosen standards and best practice, including against internal policies and procedures.”
“This will include IT health checks, gap analyses against documented standards, internal checks on staff compliance, and returns from Information Asset Owners.”
Audience
This procedure is intended to be read and understood by IT & digital and other staff who are responsible for the management of IT systems; and staff who may be engaging third parties and require descriptions or assurance around the university’s technical defences
Control statements
There are other university policies which will apply when you access university systems, including the university’s Data Protection Policy (and users should complete the university’s mandatory data protection training).
- Protective monitoring
- Client anti-malware
- Server anti-malware
- Vulnerability scanning – internal
- Use of external vulnerability assessment
- Software versions
- Client patching
- Server patching
- Application patching
- Firmware patching
Protective Monitoring
Perimeter security is detailed in Communications Security.
Within the network, Security Information and Event Management (SIEM) tools use AI/machine learning to identify threats that have avoided perimeter detection. Logs are generated, stored and monitored according to Log Management and Forensic Readiness.
Client anti-malware
All university-managed clients (Mac and Windows) run endpoint protection. This is centrally managed by the end-user computing team. Updates are pulled to a management server and clients check for updates every ten minutes. Where signatures are released to address a critical threat, the updates can be deployed at short notice and outside of normal schedules.
Server anti-malware
All Windows servers on the university network run endpoint protection. These update as new signatures are made available. Where signatures are released to address a critical threat, the updates can be deployed at short notice and outside of normal schedules.
Vulnerability scanning – internal
Vulnerability scans will be performed weekly or on request by the Cyber Security Operations team using a dedicated service running up-to-date plugins via a business subscription. Scan results are distributed to operational teams for remediation according to criticality, based on the Common Vulnerability Scoring System (CVSS). The Information Security team will oversee the remediation of critical and high vulnerabilities.
Vulnerability scanning – external
The university will use external vulnerability assessments to supplement its internal capabilities. There is no fixed schedule or scope for this, but it is good practice to undergo annual penetration testing of at least key external-facing services, and to penetration test new systems or significant changes to systems as required. Decisions to use external vulnerability assessments will be made and authorised by the Information Security team. Use will also be made of automated tools, such as NCSC’s Web Check.
Software versions
Where possible the university will run the latest stable version of software, and no older than the previous version provided that it remains supported, in order to maintain stability, supportability and security. Where compatibility issues prevent running the latest version, the university will prioritise upgrading or replacing the component causing the compatibility issue, and the residual risk will be documented and kept under review. Where legacy systems have to be tolerated, reference should be made to the National Cyber Security Centre guidance for securing obsolete platforms. Where there is no appropriate treatment, IT & digital reserve the right to disable software and services deemed to present a significant risk to the university’s systems or data.
Approved versions of key software – such as operating systems, databases, web toolsets and browsers – can be confirmed with the Information Security team.
Client patching
All University-managed Mac and Windows clients receive security updates on a monthly basis, upon release by the OS vendor. These are distributed and monitored via IT & digital managed deployment tools. Key third-party software – including the Chrome and Firefox browsers, Flash plug-in and Adobe Reader – are also updated on a monthly basis.
Where patches are released to address a critical vulnerability, these should be deployed within 14 days of detection of the vulnerability on university infrastructure. These can also be deployed at short notice and outside of normal schedules.
Server patching
All Windows servers are included in a rolling monthly patch schedule managed by the Servers and Storage team. Unix servers are included in a monthly schedule, or in some cases patched manually where there is greater risk from automation. Where patches are released to address a critical vulnerability, they can be deployed at short notice and outside of normal schedules. All databases will be patched as required, using the appropriate tools for MS SQL, MySQL and Oracle.
Application patching
Applications should have all critical or security patches applied, but business owners should decide on a case by case basis whether to implement functional patches. IT & digital staff can assist with this decision-making.
Firmware patching
Where possible the university will run the latest stable version of firmware, and no older than the previous version provided that it is supported, in order to maintain stability, supportability and security. Where compatibility issues prevent running the latest version, the university will prioritise upgrading or replacing the component causing the compatibility issue.
Compliance
Failure to comply with this procedure could result in action in line with the university’s disciplinary procedure or performance improvement procedure.
Compliance checks will be undertaken by the university’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Governance Board.
Related documents
This control procedure needs to be understood in the context of the other policies and procedures constituting the University’s Information Security Management System.
Browse Information Security policies and control procedures
Review
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Governance Board.
| Version: | 4.3 |
| Release date: | 10/10/2023 |
| Review date: | 10/09/2024 |