Vulnerability Management MOU

This MOU outlines the scope of services and responsibilities for systems hosted by DEPARTMENTS in addition to those hosted in the ITCS Data Center. As such, vulnerability management is the responsibility of the owning department. All system administration functions are governed and performed by the department and/or ITCS and are subject to all University policies and procedures. In the instance that an administrator is sharing duties with ITCS, the software application support to include security patches is provided by the Department or contracted with a third-party vendor. Specific information on vulnerability management responsibilities is provided within this agreement.

Administrator Responsibility:

The management of the server(s) must adhere to the requirements as listed in the Security Controls and Vulnerability Management and Vulnerability Management Exceptions sections below.  These requirements are mandatory.

Security Controls and Vulnerability Management:

1. Vulnerability Management is the responsibility of the administrator and includes, but is not limited to, regular reviewing of security scans, patching, vulnerability remediation or implementation of appropriate compensating controls, if the administrator is part of a department. It is the responsibility of the administrator to work with ITCS to ensure all department servers managed by the department are receiving vulnerability scans.
2. ITCS will scan known devices (including servers) connected to the ECU data network for vulnerabilities and/or to verify compliance. If a networked device is non-compliant, it may be taken out of production or removed from the ECU network until compliance is verified.
3. The management of the server(s) will identify the server criticality to ITCS to avoid a server being removed from production that may have life or safety implications.
4. Servers must run operating systems and applications that are fully supported by their manufacturers with regularly issued security patches and upgrades. Other responsibilities include routinely applying patches and/or configuration changes recommended by operating system and application vendors.
5. If possible, the operating system and all applications must be configured to automatically install all available security updates at least monthly. If automatic installation is not possible, all available security patches must be installed within 30 days of their release by the assigned system administrator.
6. Ad hoc scans should be run by the system administrator to verify security patches have been appropriately installed or whenever the system administrator deems necessary.
7. All Windows or Linux servers connected to the ECU data network must run the latest version of KACE Agent software, installed and configured to automatically update at least daily (continuous updates are strongly recommended).
8. KACE Agent software must be installed, configured, enabled and updated on Windows and Macintosh computers with the latest patches and virus signatures as required by the ECU Antivirus Policy.
9. Servers must be configured to authenticate with the Rapid7 InsightVM application using local administrator credentials that are provided by the system owner. The local administrator passwords must be changed at least every 60 days to ensure authenticated scans are performed.

Vulnerability Management Exceptions:

1. The management of the server(s) or network devices will submit the appropriate exception in Rapid7 InsightVM for vulnerabilities with a CVSS2 score of 8 or greater (referred to as High/Critical Vulnerabilities that cannot be resolved.
2. The management of the server(s) will also open a TeamDynamix service request for the exception and include the request number in Rapid7 InsightVM.
3. The Vulnerability Management Committee will review and approve exceptions that meet acceptable use or compensating control criteria.
4. The Vulnerability Management Committee may review vulnerabilities on all monitored systems or network devices that have not been addressed within 30, 45 and 60 days of initial discovery and recommend the appropriate action. (Note: Network device vulnerabilities that have not been addressed within 40, 50 and 60 days of initial discovery and recommended appropriate action.)