The Vulnerability Management Program is designed to better secure the UCF environment by swiftly addressing vulnerabilities. Limiting what vulnerabilities exist within UCF networks is paramount, and doing so requires a combination of defined patch cycles, a method to review exceptions, and the isolation of systems with unmitigated vulnerabilities.
Why Is The Vulnerability Management Program Important?
Unpatched vulnerabilities were involved in 60% of data breaches - with an ever-growing list of known exploited vulnerabilities it is imperative that vulnerabilities are proactively addressed.
The Vulnerability Management Program ensures that the UCF network remains secure from cyber attacks by addressing vulnerabilities in a timely manner, minimizing the liklihood of a vulnerability being exploited to gain access to the UCF environment.
What Is Vulnerability Severity?
Not all vulnerabilities carry the same level of risk. Various factors contribute to the significance of a vulnerability, leading to its classification by severity level. This severity level determines the timeline for remediation. The following table outlines the definitions of each severity level:
| Severity | Description |
|---|---|
| Zero Day | A zero-day vulnerability refers to a flaw or weakness, which is actively being exploited, in software or hardware that is unknown to the vendor or developers. These vulnerabilities should be patched as soon as one is made available. |
| Exploitable | If this vulnerability exists on your system, threat actors can gain control of the host, which can lead to the compromise of your entire network security. |
| Critical | A critical vulnerability is a known flaw in a system that, if exploited, can have a severe impact on security, leading to potential system compromise, data breaches, or unauthorized access. Please refer to the matrix below for remediation requirements based on system type. |
| High | High severity vulnerabilities are significant weaknesses that, if exploited, can cause substantial harm to a system or its data. Please refer to the matrix below for remediation requirements based on system type. |
| Medium | Medium severity vulnerabilities represent weaknesses that may not have as severe an impact as critical or high severity ones but could still lead to security breaches or data compromise if exploited. Please refer to the matrix below for remediation requirements based on system type. |
WHAT IS VULNERABILITY MANAGEMENT?
The Vulnerability Management Program is designed to identify and classify vulnerabilities, evaluate their risk, remediate or accept the risk, and reporting. With the right tools and procedures, vulnerabilities can be mitigated in an appropriate timeframe. The following table outlines the timelines for resolution of each severity level:
| Severity | Tier 0 | Tier 1 - Public | Tier 1 - Private | Tier 2 |
|---|---|---|---|---|
| Zero Day | 2 Days |
2 Days |
3 Days |
7 Days |
| Exploitable | 3 Days |
7 Days |
7 Days |
7 Days |
| Critical | 7 Days |
14 Days |
14 Days |
14 Days |
| High | 14 Days |
21 Days |
21 Days |
21 Days |
| Medium | 21 Days |
28 Days |
28 Days |
28 Days |
Frequently Asked Questions
We understand vulnerability management can seem daunting at first. That's why we've compiled these frequently asked questions to guide your vulnerability management process.
Request Access to Vulnerability Management Dashboard
Conduct regular reviews of your assets vulnerability using the Vulnerability Management Dashboard. If you need access to the dashboard please use the ServiceNow request linked below.
Request Dashboard AccessSubmit a ticket
Users that wish to have access to the Vulnerability Management Dashboard must be an IT Administrator/System Administrator. Submit a request for access using the link below.
Request AccessSend an Email
Need help on a specific question regarding the vulnerability management program? Send us an email using the button below!
Infosec@ucf.eduReach us through Teams
If you're a CITC community member, reach out to us on Microsoft Teams if you have a question.
InfoSec Channel - citcAdditional Resources
Still looking for extra resources?
Look no further, below are a few extra links to get you to where you need to be.