Vulnerability Management Program at RIT

The vulnerability assessments will scan communication services, operating systems, and applications to identify high-risk system weaknesses that intruders could exploit. These exploits can compromise the confidentiality, integrity, or availability of RIT information resources.

All computers connected to the RIT campus network must undergo scanning. This includes systems in resident halls and remote computers accessing the RIT network via VPN. The Network Security Standard mandates regular scans to identify vulnerable hosts that attackers can exploit remotely.

Vulnerability scanning identifies vulnerabilities and assesses their criticality. We treat this information as RIT Confidential. The scans do not examine the content of personal electronic files on the scanned computers. Additionally, the scans should not cause network outages. However, systems administrators may see log entries related to the scans in their logs.

The timeframes for remediating vulnerabilities based on their assigned Common Vulnerability Scoring System (CVSS) scores. A CVSS score is a standardized metric used to measure the severity of security vulnerabilities.

The Forum of Incident Response and Security Teams (FIRST) manages the CVSS framework.  FIRST is an international organization that promotes security incident response and coordinates the development of global security standards, including CVSS.   

RIT is currently utilizing CVSS version 3.1, which was released in June of 2019.

When critical vulnerabilities are identified, the ISO collaborates with the responsible system owners or teams to address these vulnerabilities. If critical vulnerabilities remain unaddressed after successive scans and there is no acceptable plan in place, the ISO initiates a discussion between the system owners and the organization’s information steward. The ISO intends to work collaboratively with the system administration teams and their information stewards to improve the organization’s security posture.