Vulnerability Risk Ranking Assessment Procedure
Information Technology Services Procedure
Title: Identification and Ranking of Security Vulnerabilities
Created: October 5, 2012
Information Technology Services will use this process to identify and assign a risk ranking to newly discovered security vulnerabilities. The intention of this process is to ensure that the university keeps up-to-date with new vulnerabilities that may impact the high security environment. While it is important to monitor vendor announcements for news of vulnerabilities and patches related to their products, it is equally important to monitor common industry vulnerability news groups and mailing lists for vulnerabilities and potential workarounds that may not yet be known or resolved by the vendor.
When vulnerabilities are disclosed that could affect the university’s high security environment, the risk that vulnerability poses must be evaluated and ranked. This outlines Loyola University Chicago’s method to evaluate vulnerabilities and assign risk rankings on a consistent basis.
The resulting processes deployed will be in support of and in compliance with the following legal and regulatory requirements:
- Family Educational Rights and Privacy Act of 1974 (FERPA)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry (PCI) Data Security Standard (DSS)
Vulnerability Identification Process
Vulnerabilities are identified by the University Information Security Office (UISO) using the following methods:
- Daily monitoring of those new vulnerabilities that can impact the infrastructure.
- Evaluation of the vulnerability’s applicability to the environment.
- Implementation of a risk-based approach aimed at evaluating the actual threat that the vulnerability poses to the infrastructure.
- Scouting new vulnerabilities and patches via web resources
- Aggregation of all information in a centralized gathering point (UISO)
- Analysis of all collected information
- Alerting administrators of any applicable and noteworthy vulnerability and/or available patch
Vulnerability Review Process
UISO identifies the most appropriate sources of vulnerability and patch information for the Loyola University Chicago infrastructure, and creates a centralized “knowledge pool” in which these are to be aggregated. Newly discovered vulnerabilities and developed patches are detected via a regular monitoring of common publishers of vulnerability information. The following sites are monitored by UISO either via automated email or daily site visits.
All information collected from the community sites, as well as from appropriate vendor sites, is collected and documented into a vulnerability knowledge pool, to increase efficiency in access and analysis.
Vulnerability Analysis Process
UISO along with the appropriate system administrators will evaluate the relevance of every new vulnerability alert, in order to assess the priority with which it must be addressed.
The process used to assess vulnerability and patch information is based on the CVSS Score based on the NIST National Vulnerability Database Scoring System. The CVSS rating is a risk rating based on the combination of different variables such as the consequences of the vulnerability being exploited and the ease with which an attack attempt could succeed. The PCI-DSS standard uses the Common Vulnerability Scoring System (CVSS-SIG) to readily measure vulnerability risk, and considers any vulnerability ranked 4-0 or more as high risk that should be managed with the utmost priority.
CVSS Vulnerability Severity Ratings
NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores:
- Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.
- Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.
- Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.
Other Analysis considerations
- Applicability: defining whether or not the alert applies to the Loyola University Chicago infrastructure.
- System Component positioning: defining whether or not the alert applies to a
Vulnerability Notification Process
Based on the analysis, appropriate system and network administrators are notified of relevant patches and/or control procedures for the vulnerability’s mitigation. Information Security alerts the appropriate administrators of upcoming vulnerabilities via three different notification schemes, based on the priority rating assigned:
- High severity – As soon as possible
- Medium and Low - Monthly
- Vulnerability notifications will be delivered via email.
Exceptions to this process will be handled in accordance with the ITS Security Policy.
This process will be maintained in accordance with the ITS Security Policy.
History and Updates
Initial Policy Created: August 31, 2012
Revised: June 13, 2013
Author: University Information Security Office (UISO)