UIS.204 Vulnerability Management Policy

200. Information Systems Security

Purpose 

Georgetown University Information Services has developed and implemented the Configuration Management Policy and procedures to ensure that secure computer systems and networks ae available to accomplish the University’s mission of teaching, research, and service. Directed by the Chief Information Security Officer (CISO), these policies set the information security standards which maximize the confidentiality, integrity, and availability of the University’s distributed information technology assets, systems, networks, and data. 

Scope 

The Vulnerability Management policy and supporting requirements apply to all information technology assets, systems, networks, and data hosts that are owned by, managed by and/or sponsored by Georgetown. This policy is also applicable to the faculty, staff, researchers, affiliates, suppliers, and students who own, operate, or maintain these systems for University business, academia, and research. 

Policy 

Georgetown University has adopted the threat and vulnerability management principles established in NIST SP 800-171 “Risk Assessment” and “Security Assessment” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

Vulnerability scans are performed on a regular, scheduled basis on all University assets. Potential vulnerabilities are identified and validated; criticalities are assessed based on a tailored risk rating formula; and, remediation actions are taken in a timely manner to safeguard the University’s information technology systems and data.  

Failure to protect University information systems and its networks against threats can result in the loss of data integrity, unavailability of data, and/or unauthorized use of data or information technology systems of which University departments are considered the owner.