Defining the University’s approach to vulnerability management
This control procedure defines the University’s approach to threat and vulnerability management, and directly supports the following policy statement from the Information Security Policy:
The University will ensure the correct and secure operations of information processing systems.
This will include documented operating procedures; the use of formal change and capacity management; controls against malware; defined use of logging; vulnerability management.
The University will use a combination of internal and external audit to demonstrate compliance against chosen standards and best practice, including against internal policies and procedures.
This will include IT Health Checks, gap analyses against documented standards, internal checks on staff compliance, and returns from Information Asset Owners.
This procedure is intended to be read and understood by ISDS and other staff who are responsible for the management of IT systems; and staff who may be engaging third parties and require descriptions or assurance around the University’s technical defences
Perimeter security is detailed in Communications Security.
Within the network, Security Information and Event Management (SIEM) tools uses AI / machine learning to identify threats that have avoided perimeter detection. Logs are generated, stored and monitored according to Log Management and Forensic Readiness.
All University-managed clients (Mac and Windows) run endpoint protection. This is centrally managed by the Deployment Solutions team. Updates are pulled to a management server and clients check for updates every ten minutes. Where signatures are released to address a critical threat, the updates can be deployed at short notice and outside of normal schedules.
All Windows servers on the University network run endpoint protection. These update as new signatures are made available.
Vulnerability scans will be performed weekly or on request by the Network Security team using a dedicated service running up-to-date plugins via a business subscription. Scan results are distributed to operational teams for remediation according to criticality, based on the Common Vulnerability Scoring System (CVSS). The Information Security team will oversee the remediation of Critical and High vulnerabilities.
The University will use external vulnerability assessments to supplement its internal capabilities. There is no fixed schedule or scope for this, but it is good practice to undergo annual penetration testing of at least key external-facing services, and to penetration test new systems or significant changes to systems as required. Decisions to use external vulnerability assessments will be made and authorised by the Information Security team. Use will also be made of automated tools, such as NCSC’s Web Check.
Where possible the University will run the latest stable version of software, and no older than the previous version provided that it remains supported, in order to maintain stability, supportability and security. Where compatibility issues prevent running the latest version, the University will prioritise upgrading or replacing the component causing the compatibility issue, and the residual risk will be documented and kept under review. Where legacy systems have to be tolerated, reference should be made to the National Cyber Security Centre guidance for securing obsolete platforms. Where there is no appropriate treatment, ISDS reserve the right to disable software and services deemed to present a significant risk to the University’s systems or data.
A list of approved versions of key software – such as operating systems, databases, web toolsets and browsers – is maintained by the Information Security team.
All University-managed Windows clients receive Windows updates on a monthly basis, distributed and monitored via SCCM. Key third party software – including the Chrome and Firefox browsers, Flash plug-in and Adobe Reader – are also updated on a monthly basis. Where patches are released to address a critical vulnerability, they can be deployed at short notice and outside of normal schedules.
Mac devices in teaching areas do not receive updates, but are re-imaged on an annual basis to include latest versions of applications. Mac devices used by staff are not centrally controlled, although this is being addressed by ISDS. This risk is documented.
All Windows servers are included in a rolling monthly patch schedule managed by the Servers and Storage team. Unix servers are included in a monthly schedule, or in some cases patched manually where there is greater risk from automation. Where patches are released to address a critical vulnerability, they can be deployed at short notice and outside of normal schedules. All databases will be patched as required, using the appropriate tools for MS SQL, MySQL and Oracle.
Applications should have all critical or security patches applied, but business owners should decide on a case by case basis whether to implement functional patches. ISDS staff can assist with this decision-making.
Where possible the University will run the latest stable version of firmware, and no older than the previous version provided that it is supported, in order to maintain stability, supportability and security. Where compatibility issues prevent running the latest version, the University will prioritise upgrading or replacing the component causing the compatibility issue.
Failure to comply with this procedure could result in action in line with the University’s Disciplinary Procedure or Capability Procedure.
Compliance checks will be undertaken by the University’s Information Governance functions. The results of compliance checks, their risk assessment and their remediation will be managed by the Information Security Board.
This control procedure needs to be understood in the context of the other policies and procedures constituting the University's Information Security Management System.
A review of this policy will be undertaken by the Information Security team annually or more frequently as required, and will be approved by the Information Security Board.