Purpose
The Salish Kootenai College Vulnerability Management Policy establishes the rules for the review, evaluation, application, and verification of system updates to mitigate vulnerabilities in the IT environment and the risks associated with them.
Audience
The Salish Kootenai College Vulnerability Management Policy applies to individuals responsible for Information Resource management.
- Policy
- Endpoint Protection (Anti-Virus & Malware)
- All Salish Kootenai College owned and/or managed Information Resources must use the Salish Kootenai College IT management-approved endpoint protection software and configuration.
- All non-Salish Kootenai College-owned workstations and laptops must use Salish Kootenai College IT management-approved endpoint protection software and configuration before any connection to a Salish Kootenai College Information Resource.
- The endpoint protection software must not be altered, bypassed, or disabled.
- Each email gateway must utilize Salish Kootenai College IT management-approved email virus protection software and adhere to the Salish Kootenai College rules for the setup and use of this software, which includes, but is not limited to, scanning of all inbound and outbound emails.
- Controls to prevent or detect the use of known or suspected malicious websites must be implemented.
- All files received over networks or from any external storage device must be scanned for malware before use.
- Every virus not automatically cleaned by the virus protection software constitutes a security incident and must be reported to Salish Kootenai College IT Services.
- Logging & Alerting
- Documented baseline configurations for Information Resources must include log settings to record actions that may affect or are relevant to information security.
- Event logs must be produced based on the Salish Kootenai College Logging Standard and sent to a central log management solution.
- A review of log files must be conducted on an established schedule. This schedule is dependent on how frequently the logs are updated. IT Services will develop and maintain this schedule.
- All exceptions and anomalies identified during the log file reviews must be documented and reviewed.
- Salish Kootenai College will use file integrity monitoring or change detection software on logs and critical files to alert personnel to unauthorized modifications.
- Log files must be protected from tampering or unauthorized access.
- All servers and network equipment must retrieve time information from a single reference time source regularly so that timestamps in logs are consistent.
- All log files must be maintained per the Record Retention Schedule.
- Patch Management
- The Salish Kootenai College IT team is responsible for patch management implementation, operations, and procedures.
- All Information Resources must be scanned regularly to identify missing updates.
- All missing software updates must be evaluated according to the risk they pose to Salish Kootenai College.
- Missing software updates that pose an unacceptable risk to Salish Kootenai College Information Resources must be implemented within a period that is commensurate with the risk as determined by the Salish Kootenai College Vulnerability Management Standard.
- Software updates and configuration changes applied to Information Resources must be tested before widespread implementation and must be implemented following the Salish Kootenai College Change Control Policy.
- Verification of successful software update deployment will be conducted within a reasonable period as defined in the Salish Kootenai College Vulnerability Management Standard.
- Penetration Testing
- Penetration testing of the internal network, external network, and hosted applications must be conducted at least annually or after any significant changes to the environment.
- Any exploitable vulnerabilities found during a penetration test will be corrected and re-tested to verify the vulnerability was corrected.
- Vulnerability Scanning
- Vulnerability scans of the internal and external network must be conducted at least quarterly or after any significant change to the network.
- Failed vulnerability scan results rated at Critical or High will be remediated and re-scanned until all Critical and High risks are resolved.
- Any evidence of a compromised or exploited Information Resource found during vulnerability scanning must be reported to the Salish Kootenai College Information Security Officer and IT Services.
- Upon identification of new vulnerability issues, configuration standards will be updated accordingly.
- Endpoint Protection (Anti-Virus & Malware)
References:
- ISO 27002: 12, 18
History:
Approved 3/17/2023