{"id":70040,"date":"2026-03-11T10:49:44","date_gmt":"2026-03-11T17:49:44","guid":{"rendered":"https:\/\/policies.wsu.edu\/prf\/?page_id=70040"},"modified":"2026-03-11T10:49:45","modified_gmt":"2026-03-11T17:49:45","slug":"bppm-87-17","status":"publish","type":"page","link":"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-17\/","title":{"rendered":"87.17 Vulnerability Management"},"content":{"rendered":"\n<h1 class=\"wp-block-heading wsu-font-size--xxmedium\">University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual)<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">Vulnerability Management<\/h2>\n\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t\n\n<p><strong>UPPM 87.17<\/strong><\/p>\n<p><strong>For more information contact:<\/strong><br>&nbsp; &nbsp;<a href=\"https:\/\/its.wsu.edu\/how-can-we-help-contact-its\/\">Information Technology Services<\/a><\/p>\n<hr>\n<div id=\"toc_container\">\n<h3>Contents<\/h3>\n<ul class=\"toc_list\">\n<li><a href=\"#One_0\">1.0 &nbsp;&nbsp; Overview and Purpose<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#One_1\">1.1 &nbsp;&nbsp; Information Assurance Policies Generally<\/a><\/li>\n<li><a href=\"#One_2\">1.2 &nbsp;&nbsp; Specific Policy Overview and Purpose<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Two_0\">2.0 &nbsp;&nbsp; Applicability<\/a><\/li>\n<li><a href=\"#Three_0\">3.0 &nbsp;&nbsp; Roles and Responsibilities<\/a>\n<ul class=\"toc_list\">\n<li><a href=\"#Three_1\">3.1 &nbsp;&nbsp; Chief Information Officer<\/a><\/li>\n<li><a href=\"#Three_2\">3.2 &nbsp;&nbsp; Information System Owners<\/a><\/li>\n<li><a href=\"#Three_3\">3.3 &nbsp;&nbsp; Office of Information Security and Assurance (OISA)<\/a><\/li>\n<\/ul>\n<\/li>\n<li><a href=\"#Four_0\">4.0 &nbsp;&nbsp; Requirements<\/a><\/li>\n<li><a href=\"#Five_0\">5.0 &nbsp;&nbsp; Training<\/a><\/li>\n<\/ul>\n<\/div>\n<h3 id=\"One_0\">1.0 &nbsp;&nbsp; Overview and Purpose<\/h3>\n<h4 id=\"One_1\">1.1 &nbsp;&nbsp; Information Assurance Policies Generally<\/h4>\n<p>The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:<\/p>\n<ul>\n<li>Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;<\/li>\n<li>Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and<\/li>\n<li>Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.<\/li>\n<\/ul>\n<p>The policies in this chapter comply with Federal Information Processing Standards (<a href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/fips\/nist.fips.199.pdf\">FIPS 199<\/a>), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability.<\/p>\n<p>To determine the potential consequence of a loss event, the Federal Information Processing Standards:<\/p>\n<ul>\n<li>Define WSU Information Owners\u2019 impact categorization rating (Low, Moderate, or High);<\/li>\n<li>Dictate which security controls are mandatory based upon the categorization level;<\/li>\n<li>Define the strength, frequency, and formalization of those controls; and<\/li>\n<li>Influence audit burden and continuous monitoring rigor.<\/li>\n<\/ul>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-01\/\">UPPM 87.01<\/a> for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.<\/p>\n<h4 id=\"One_2\">1.2 &nbsp;&nbsp; Specific Policy Overview and Purpose<\/h4>\n<p>Establishing uniform requirements for identifying, assessing, and remediating vulnerabilities within WSU\u2019s information systems helps reduce security risks and protects institutional data. This policy supports WSU\u2019s overall information assurance program by defining expectations for vulnerability scanning, reporting, and coordinated remediation efforts across the University.<\/p>\n<h3 id=\"Two_0\">2.0 &nbsp;&nbsp; Applicability<\/h3>\n<p>This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.<\/p>\n<p>Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-23\/\">UPPM 87.23<\/a>.<\/p>\n<h3 id=\"Three_0\">3.0&nbsp;&nbsp;  Roles and Responsibilities<\/h3>\n<h4 id=\"Three_1\">3.1 &nbsp;&nbsp; Chief Information Officer<\/h4>\n<p>The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.<\/p>\n<h4 id=\"Three_2\">3.2 &nbsp;&nbsp; Information System Owners<\/h4>\n<p>Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy&#8217;s implementation.&nbsp;<\/p>\n<h4 id=\"Three_3\">3.3 &nbsp;&nbsp; Office of Information Security and Assurance (OISA)<\/h4>\n<p>WSU\u2019s Office of Information Security and Assurance (OISA) shall maintain the <a href=\"https:\/\/its.wsu.edu\/documents\/2026\/01\/vulnerability-management-standard.pdf\">standard (PDF)<\/a> associated with this policy and provide guidance for the associated procedures for the implementation of this policy (<a href=\"https:\/\/its.wsu.edu\/documents\/2026\/02\/vulnerability-management-procedure.pdf\">see examples (PDF)<\/a>).<\/p>\n<p><strong>Note:<\/strong> While all units are required to adhere to the standard established by OISA (<a href=\"https:\/\/csrc.nist.gov\/pubs\/sp\/800\/53\/r5\/upd1\/final\">NIST SP 800-53<\/a>), procedural examples for implementation are optional.<\/p>\n<h3 id=\"Four_0\">4.0 &nbsp;&nbsp; Requirements<\/h3>\n<p>WSU must maintain a vulnerability management system based on Security Content Automation Protocol (SCAP) to identify potential information system weaknesses with a public reporting capability to receive reports of vulnerabilities in WSU system components.&nbsp;<\/p>\n<p>Primary vulnerability management tools that can readily update their databases with new vulnerabilities are to be operated within WSU so that scans are performed with the latest vulnerability signatures.&nbsp;<\/p>\n<p>WSU&#8217;s vulnerability management system must scan information systems for coding and configuration-based weaknesses. The scan must utilize both the Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring System (CCSS) as a part of the SCAP protocol to report weaknesses identified on information systems.<\/p>\n<p>WSU must scan regulated and confidential network segments as required to identify weaknesses and changes in those systems. If changes are detected, an alert is to be generated and logged in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-50\/\">UPPM 87.50<\/a>.<\/p>\n<p>WSU must maintain application-specific vulnerability scanners for web and compiled code-based applications, tailored to the respective programming languages. Applications are to be scanned to identify weaknesses and changes in those systems.<\/p>\n<p>WSU must maintain database-specific vulnerability scanners to identify database-specific vulnerabilities in WSU systems. All databases are to be scanned to identify weaknesses and changes in those systems.<\/p>\n<p>Only authorized individuals are permitted to perform vulnerability scans and analyze scan reports. Internal vulnerability scans must be performed in authenticated mode with privileged access to system components.&nbsp; Service accounts for vulnerability scanning activities are to be created and maintained in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-05\/\">UPPM 87.05<\/a>.<\/p>\n<p>WSU&#8217;s vulnerability management scanners must be secured in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">UPPM 87.40<\/a>.<\/p>\n<p>WSU Information Owners, or their delegates, must be provided with reports to enable visibility into the vulnerabilities identified on the systems that store, transmit, process, or otherwise use information under their care.<\/p>\n<p>Where possible, vulnerability monitoring is to include scanning for patch levels in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-40\/\">UPPM 87.40<\/a>.<\/p>\n<p>Vulnerabilities are to be remediated in accordance with WSU\u2019s risk tolerance and <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-25\/\">UPPM 87.25<\/a>.<\/p>\n<p>WSU must use the results of the vulnerability scans to determine WSU&#8217;s remediation efforts and understand the risk in accordance with <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-25\/\">UPPM 87.25<\/a>.<\/p>\n<p>Non-remediated critical vulnerabilities must be immediately reported to the OISA.<\/p>\n<h3 id=\"Five_0\">5.0&nbsp; &nbsp; &nbsp;Training<\/h3>\n<p>See <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a> for training requirements related to UPPM Chapter 87.<\/p>\n<p>In addition to the requirements in <a href=\"https:\/\/policies.wsu.edu\/prf\/index\/manuals\/business-policies-and-procedures-manual\/bppm-87-21\/\">UPPM 87.21<\/a>, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner\u2019s authority.<\/p>\n<p style=\"font-size: .8rem\">_______________________<br><strong>Revisions:<\/strong>&nbsp; March 2026 (NEW &#8211; Rev. <a href=\"https:\/\/policies.wsu.edu\/prf\/bppm-manual-revisions\/bppm-revision-654\/\">654<\/a>).<\/p>\n\n<\/div>\r\n\n<\/div>\n\n<div class=\"wsu-row wsu-row--single\" >\r\n    \n<div class=\"wsu-column\"  style=\"\">\r\n\t<\/div>\r\n\n<\/div>","protected":false},"excerpt":{"rendered":"<p>University Policies and Procedures Manual&nbsp;(previously Business Policies and Procedures Manual) Vulnerability Management<\/p>\n","protected":false},"author":49281,"featured_media":0,"parent":50633,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"wsuwp_university_location":[],"wsuwp_university_org":[],"_links":{"self":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/70040"}],"collection":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/users\/49281"}],"replies":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/comments?post=70040"}],"version-history":[{"count":6,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/70040\/revisions"}],"predecessor-version":[{"id":70109,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/70040\/revisions\/70109"}],"up":[{"embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/pages\/50633"}],"wp:attachment":[{"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/media?parent=70040"}],"wp:term":[{"taxonomy":"wsuwp_university_location","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_location?post=70040"},{"taxonomy":"wsuwp_university_org","embeddable":true,"href":"https:\/\/policies.wsu.edu\/prf\/wp-json\/wp\/v2\/wsuwp_university_org?post=70040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}