Vulnerability Management Program at RIT

To reduce information security risks, RIT conducts periodic vulnerability assessments, scanning systems campus-wide for high-risk exposures. Additionally, the Information Security Office (ISO) scans for vulnerabilities under attack as needed.

What is RIT scanning for?

The vulnerability assessments will scan communication services, operating systems, and applications to identify high-risk system weaknesses that intruders could exploit. These exploits can compromise the confidentiality, integrity, or availability of RIT information resources.

Which systems may be scanned?

All computers connected to the RIT campus network must undergo scanning. This includes systems in resident halls and remote computers accessing the RIT network via VPN. The Network Security Standard mandates regular scans to identify vulnerable hosts that attackers can exploit remotely.

What information is obtained and how will it be treated?

Vulnerability scanning identifies vulnerabilities and assesses their criticality. We treat this information as RIT Confidential. The scans do not examine the content of personal electronic files on the scanned computers. Additionally, the scans should not cause network outages. However, systems administrators may see log entries related to the scans in their logs.

Common Vulnerability Scoring System

The timeframes for remediating vulnerabilities based on their assigned Common Vulnerability Scoring System (CVSS) scores. A CVSS score is a standardized metric used to measure the severity of security vulnerabilities.

The Forum of Incident Response and Security Teams (FIRST) manages the CVSS framework.  FIRST is an international organization that promotes security incident response and coordinates the development of global security standards, including CVSS.   

RIT is currently utilizing CVSS version 3.1, which was released in June of 2019.

How will vulnerabilities be handled?

When critical vulnerabilities are identified, the ISO collaborates with the responsible system owners or teams to address these vulnerabilities. If critical vulnerabilities remain unaddressed after successive scans and there is no acceptable plan in place, the ISO initiates a discussion between the system owners and the organization’s information steward. The ISO intends to work collaboratively with the system administration teams and their information stewards to improve the organization’s security posture. 

Vulnerability Severity      Corrective Action Plan      Remediation
Critical (CVSS 9-10) Within 7 days Within 15 days
High (CVSS 7-8.9) Within 15 days Within 30 days
Medium (CVSS 4-6.9) Within 30 days As scheduled during regular patch cycles
Low (CVSS 0.1-3.9) Within 45 days As scheduled during regular patch cycles