Policy Statement

Rockhurst University is committed to maintaining a robust Vulnerability Management Plan that incorporates industry best practices for vulnerability scanning, patching, and maintaining system currency. This policy includes continuous scanning by Rockhurst's managed security services provider (MSSP), homeland security scans, coalition insurance scans, and internal and external penetration tests. It also emphasizes the importance of maintaining system currency from key vendors, utilizing Microsoft automated patching for workstations and servers, and automating Meraki cloud updates for network switches and Wi-Fi access points.

Scope

This policy applies to all systems, applications, workstations, servers, network switches, and Wi-Fi access points owned, managed, or operated by Rockhurst University.

Vulnerability Scanning 

  • Continuous Scanning: Rockhurst University will engage the services of a managed security services provider (MSSP) to perform continuous vulnerability scanning on its systems and applications. The MSSP will use industry-leading vulnerability scanning tools and techniques to identify potential vulnerabilities.
  • Homeland Security Scans: Rockhurst University will participate in vulnerability scanning programs offered by homeland security agencies or organizations. These scans will help identify vulnerabilities related to known threats, exploits, and security weaknesses.
  • Coalition Insurance Scans: Rockhurst University will collaborate with its insurance provider and undergo vulnerability scanning assessments as part of the insurance policy requirements. These scans will help identify potential vulnerabilities and ensure compliance with insurance guidelines.

Penetration Testing

  • Internal Penetration Tests: Rockhurst University will conduct internal penetration tests on its systems and applications. These tests will simulate attacks from within the university's network to identify vulnerabilities and weaknesses that could be exploited by insider threats.
  • External Penetration Tests: Rockhurst University will periodically engage third-party security firms to perform external penetration tests. These tests will simulate real-world attacks from outside the university's network to identify vulnerabilities and potential points of unauthorized entry.

Patch Management

  • Vendor Relationships: Rockhurst University will maintain relationships with key vendors to ensure timely access to patches, security updates, and vulnerability information. Regular communication with vendors will help keep the university's systems up to date and secure.
  • Automated Patching:
    1. Workstations and Servers: Rockhurst University will leverage automated patch management solutions, such as Microsoft Automated Patching, to ensure timely deployment of security patches to workstations and servers. Automated patching mechanisms will be configured to apply patches promptly while considering system availability and maintenance windows.
    2. Network Switches and Wi-Fi Access Points: Rockhurst University's Meraki cloud-managed network switches and Wi-Fi access points will be configured to receive automated updates from the Meraki cloud platform. These updates will include security patches and feature enhancements.
  • Patch Testing and Validation: Prior to deployment, patches and updates will be tested in a controlled environment to ensure compatibility with Rockhurst University's systems, applications, and configurations. This testing will help identify any potential issues or conflicts before patches are deployed in the production environment.
  • Patch Deployment and Tracking:
    1. Rockhurst University will establish a defined process for deploying patches and updates across its systems, applications, workstations, servers, network switches, and Wi-Fi access points. The process will include appropriate change management procedures to minimize disruptions and ensure accountability.
    2. Patch deployment will be tracked and documented to maintain an accurate inventory of applied patches, enabling visibility into the patch status and assisting in compliance audits and vulnerability remediation efforts.

System Currency:

Rockhurst University recognizes the importance of maintaining system currency to reduce the risk of vulnerabilities. The following practices will be implemented: a. Regularly review and assess the currency of systems and applications, ensuring they are supported by vendors and receiving necessary security updates. b. Develop a system retirement plan to phase out outdated systems and applications that are no longer supported by vendors or cannot be adequately patched.

Policy Review

This Vulnerability Management Plan (Scanning/Patching) Policy will be reviewed periodically to ensure its effectiveness, alignment with industry best practices, and compliance with changing regulations. Updates to the policy may be made as necessary.

Policy Non-Compliance:

Failure to comply with this policy may result in disciplinary action, including but not limited to verbal or written warnings, suspension, termination, or legal action, as deemed appropriate.

By following this Vulnerability Management Plan, Rockhurst University aims to proactively identify and remediate vulnerabilities, minimize the risk of security incidents, and ensure the ongoing security and integrity of its systems, applications, and data.