Loyola University Chicago

- Navigation -

Loyola University Chicago

University Information Security Office

Vulnerability Risk Ranking Assessment Procedure

Information Technology Services Procedure

Title: Identification and Ranking of Security Vulnerabilities

Created: October 5, 2012

Author:  UISO

Version: 1.0

Scope:

 Information Technology Services will use this process to identify and assign a risk ranking to newly discovered security vulnerabilities.  The intention of this process is to ensure that the university keeps up-to-date with new vulnerabilities that may impact the high security environment.  While it is important to monitor vendor announcements for news of vulnerabilities and patches related to their products, it is equally important to monitor common industry vulnerability news groups and mailing lists for vulnerabilities and potential workarounds that may not yet be known or resolved by the vendor.

 Purpose:

 When vulnerabilities are disclosed that could affect the university’s high security environment, the risk that vulnerability poses must be evaluated and ranked. This outlines Loyola University Chicago’s method to evaluate vulnerabilities and assign risk rankings on a consistent basis.

 The resulting processes deployed will be in support of and in compliance with the following legal and regulatory requirements:

Standards:

Vulnerability Identification Process

Vulnerabilities are identified by the University Information Security Office (UISO) using the following methods:

 

Vulnerability Review Process

UISO  identifies the most appropriate sources of vulnerability and patch information for the Loyola University Chicago infrastructure, and creates a centralized “knowledge pool” in which these are to be aggregated. Newly discovered vulnerabilities and developed patches are detected via a regular monitoring of common publishers of vulnerability information.  The following sites are monitored by UISO either via automated email or daily site visits.

 

 

All information collected from the community sites, as well as from appropriate vendor sites, is collected and documented into a vulnerability knowledge pool, to increase efficiency in access and analysis.

 

Vulnerability Analysis Process

UISO along with the appropriate system administrators will evaluate the relevance of every new vulnerability alert, in order to assess the priority with which it must be addressed.

 The process used to assess vulnerability and patch information is based on the CVSS Score based on the NIST National Vulnerability Database Scoring System.  The CVSS rating is a risk rating based on the combination of different variables such as the consequences of the vulnerability being exploited and the ease with which an attack attempt could succeed.  The PCI-DSS standard uses the Common Vulnerability Scoring System (CVSS-SIG) to readily measure vulnerability risk, and considers any vulnerability ranked 4-0 or more as high risk that should be managed with the utmost priority.

 

CVSS Vulnerability Severity Ratings

NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores:

 

 Other Analysis considerations

 Vulnerability Notification Process

Based on the analysis, appropriate system and network administrators are notified of relevant patches and/or control procedures for the vulnerability’s mitigation.  Information Security alerts the appropriate administrators of upcoming vulnerabilities via three different notification schemes, based on the priority rating assigned:

 

Exceptions:

Exceptions to this process will be handled in accordance with the ITS Security Policy.

                                                 

Review:

This process will be maintained in accordance with the ITS Security Policy.

 

History and Updates

 

 

Initial Policy Created: August 31, 2012

 

Revised: June 13, 2013

 

Author: University Information Security Office (UISO)

 

Version: 1.0

 

 

Loyola

Information Technology Services
1032 W. Sheridan Ave. · Chicago, IL 60660 · 773.508-7373


DataSecurity@luc.edu

Notice of Non-discriminatory Policy