Vulnerability Management Policy 

1.0 Purpose  

This policy sets out the requirement to identify and address technical vulnerabilities quickly and effectively, reducing the likelihood of them being exploited, which could result in serious security breaches and reputational damage to Aberystwyth University.  

2.0 Scope  

The scope of this policy is to define the University’s requirement for:   

a) Identifying vulnerabilities
b) Evaluating vulnerabilities
c) Remediating vulnerabilities
d) Reporting vulnerabilities

3.0 Policy  

3.1 All University systems must allow central vulnerability scans, and be subject to periodic penetration testing, and not be intentionally blocked. 

3.2 Vulnerability scans of the internal and external network must be conducted at least quarterly or after any significant change to the network.  

3.3. A remediation plan will be created by prioritising patching according to asset risk. 

• Vulnerabilities with a Common Vulnerability Scoring System (CVSS v3.0) rating exceeding 8.9 should be remediated as soon as possible and must be remediated within 7 days. 
• Vulnerabilities with a CVSS rating between 7.0 – 8.9 must be remediated within 14 days. 
• Vulnerabilities with a CVSS rating between 4.0 – 6.9 must be remediated within 90 days. 
• Vulnerabilities with a CVSS rating lower than 4.0 should be addressed within 180 days during normal maintenance cycles. 

3.4 The remediation plan will be validated by rescanning. 

3.5 Penetration testing of the internal network, external network, and hosted applications must be conducted at least annually or after any significant changes to the environment.  

3.6 Any exploitable vulnerabilities found during a penetration test will be corrected and re-tested to verify the vulnerability was corrected with 14 days of discovery. 

3.7 Vulnerabilities with CVSS rating exceeding 7.0 that will not be remediated in accordance with the above schedule, will need to be identified and documented, and added to the University risk register, and communicated to the University Executive Group. 

3.8 Any evidence of a compromised or exploited Information Resource found during vulnerability scanning / Penetration testing must be reported to the Cyber Security Officer and IT support.  

4.0 Supporting Policies  

This policy should be read in conjunction with other associated policies  :

• Software Management Policy
• Device Management Policy

5.0 Document History and Reviews    

The Information Security Group will monitor the effectiveness of this policy and carry out regular reviews.  

 

This Policy is maintained by Information Services, was last reviewed in August 2023 and is due for review in August 2024