Thanksgiving Break
Nov. 26, All day
Thanksgiving Break
Nov. 27, All day
Thanksgiving Break
Nov. 28, All day
Thanksgiving Break
Nov. 29, All day
Thanksgiving Break
Nov. 30, All day

WBB vs. Georgetown
Nov. 23, 02:00 pm
MBB vs. Rider
Nov. 24, 07:00 pm
Volleyball vs. West Virginia
Nov. 26, 06:00 pm
WBB vs. Iona
Nov. 26, 08:00 pm
Volleyball vs. Oklahoma
Nov. 29, 12:00 pm

  • Home
  • KUMC Vulnerability Management

KUMC Vulnerability Management

Policy
Purpose: 

Principles Statement

The University of Kansas Medical Center recognizes that the regular application of vendor-supplied security patches is a critical component in protecting the University network, systems and data from damage or loss due to threats such as worms, viruses and directed attacks.

Purpose
The purpose of this policy is to define the requirements for notification, testing and installation of security-related patches. While important to the correct functionality of a software application or system, those patches that are not security-related are not covered by this policy.

Responsibilities

System and application administrators are responsible for assessment and application of security patches that impact systems under their management and supervision.

Information Security will monitor vendor and third-party sources for updated vulnerability information daily and distribute pertinent patch information to the appropriate application and system owners in each business unit.  Additionally, Information Security will utilize automated scanning tools to identify vulnerabilities or configuration issues weekly on all devices connected to the KUMC network.

Applies to: 

Individuals and Groups Covered By This Policy
Applies to all electronic devices connected to the University network including but not limited to computer workstations and servers, network switches and routers, specialized medical devices, etc.

Campus: 
Medical Center, Kansas City
Wichita
Salina
Policy Statement: 

I. Requirements for Vulnerability Remediation

  1. Information Security will classify identified vulnerabilities according to the following severity levels:
    • Critical: A "critical" classification applies to broad threats to the entire campus or remotely exploitable vulnerabilities through which an intruder can easily gain control of numerous systems, compromise one or more systems containing sensitive information, or cause wide-spread service interruption.  Vulnerabilities assigned a rating of "critical" must be remediated within 24 hours.
    • High: A "high" classification applies to vulnerabilities through which an intruder can gain control of one or more systems.  This includes local exploits where the risk of compromise is not as urgent as a critical vulnerability.  Vulnerabilities assigned a rating of "high" must be remediated within 14 days.
    • Medium: A "medium" classification applies to vulnerabilities that may allow an intruder to gain access to information stored on a host.  Vulnerabilities assigned a rating of "medium" must be remediated within 30 days.
    • Low: A "low" classification applies to vulnerabilities that do not pose an immediate threats to KUMC systems.  Vulnerabilities assigned a rating of "low" must be remediated within 90 days.
  2. System administrators must apply required patches to all applicable KUMC-owned or managed devices or complete other remediation actions within the timeframe associated with the vulnerability's severity level.
  3. In a situation where a patch cannot be installed due to incompatibility with a system or other software application, the application or system owner must request an exception within the same timeframe.

II. Additional Recommendations

  1. System administrators should install patches on a non-production system, if available, to verify that the security patch will not adversely impact system functionality.
  2. If a non-production testing system is not available, system administrators must take appropriate measures to verify the patch's correct functionality after being installed into production.
  3. When available, it is recommended that system administrators utilize tools such as Windows Security Update Services or LANDesk to automate the consistent installation of security patches. System and application owners are encouraged to contact Information Security to utilize available patch automation services.
Exclusions or Special Circumstances: 

Requests for exceptions to this Policy may be granted for security patches that compromise the usability of an application or computer system and where other security measures (e.g., network filtering, firewall, etc.) are in place to mitigate risk. Any requests must be submitted in writing to the Director of Information Security for approval. The KUMC Information Security Exception Form is available for this purpose.

Exceptions will be permitted only on receipt of written approval from Information Security. Information Security will retain documentation of currently permitted exceptions and will review them on an annual basis.

Consequences: 

Suspected or known violations of this policy will be reported to the appropriate University officials, and may result in:

  • Removal of non-compliant systems from the University's network
  • Accountability for conduct under any applicable University or campus policies, procedures, or collective bargaining agreements, including disciplinary action.
  • Prosecution under applicable statutes.

Suspected or known violations of University regulations and/or State and Federal law will be processed by the appropriate University authorities and/or law enforcement agencies.

Contact: 

For information on this policy, please contact:

Eric Walters
Director of Information Security
Department of Information Resources
University of Kansas Medical Center
1020 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-0966

Michael Harmelink
Associate Vice Chancellor for Information Resources
Chief Information Officer
University of Kansas Medical Center
1018 Taylor, 3901 Rainbow Blvd
Kansas City, Kansas 66160
(913) 588-4900

Approved by: 
Chief Information Officer, KUMC
Approved on: 
Monday, August 1, 2005
Effective on: 
Monday, August 1, 2005
Review Cycle: 
Annual (As Needed)
Definitions: 

Remediated: corrected a fault or deficiency.  An action taken to remediate a security vulnerability could include applying a vendor's patch, applying additional security controls, or changing a system's configuration to one that is no longer vulnerable.

Vulnerabiliity: A security risk or weakness which can be exploited to allow an attacker to compromise the security of a system.

Keywords: 
vulnerabilities, patches, security
Review, Approval & Change History: 

2014-07-17:  Updated contact information.

2014-03-03: Reviewed and moved into KU Policy Library.

2013-04-17: Reviewed with no changes.

2012-04-27: Reviewed with no changes.

2011-03-13: Reviewed with no changes.

Information Access & Technology Categories: 
Privacy & Security

Policy Library Search
Can't Find What You're Looking For?
One of 34 U.S. public institutions in the prestigious Association of American Universities
26 prestigious Rhodes Scholars — more than all other Kansas colleges combined
Nearly $290 million in financial aid annually
46 nationally ranked graduate programs.
—U.S. News & World Report
Top 50 nationwide for size of library collection.
—ALA
23rd nationwide for service to veterans —"Best for Vets," Military Times