Procedures for Implementing Vulnerability Policy

The following are the procedures to be followed to implement the policy on vulnerability management with respect to devices allowed to receive network traffic initiated by other devices outside the ENCS network:

• All security holes will be reported by e-mail to RP, Admin and User recorded in the network database.
• Machines with already exploited holes will have their network connection blocked, or will be placed in "network quarantine", depending on the severity of the case.
• If a machine/port has a remotely exploitable hole allowing execution of arbitrary code and for which an exploit is known to be publicly available, it will be blocked at the firewall immediately, and accessibility only reestablished when the vulnerability no longer exists.
• If a machine/port has a remotely exploitable hole allowing execution of arbitrary code and for which no exploit is known to be publicly available, the RP/Admin/User will be allowed a grace period of 5 working days to fix the problem. If after the grace period, the vulnerability still exists, the RP/Admin/User will be notified by e-mail and the access to the vulnerable port(s) will be blocked at the firewall, with accessibility only reestablished when the vulnerability no longer exists.
• If a machine/port has a vulnerability that is NOT remotely exploitable, or does NOT permit the execution of arbitrary code, the RP/Admin/User will be allowed a grace period of 30 days to fix the problem. If after the grace period, the vulnerability still exists, the RP/Admin/User will be notified by e-mail and the access to the vulnerable port(s) will be blocked immediately at the firewall, with accessibility only reestablished when the vulnerability no longer exists.
• Outward-facing ports must permit Nessus scans; if no Nessus scan is accepted for 30 days, the firewall exception for that port is removed.
• In individual cases, full-time AITS network administration staff and full-time faculty members may together negotiate modifications to the terms, conditions, of procedures above, with the modifications recorded in an RT ticket.
• Notwithstanding any of the articles above, AITS staff may, as permitted in their mandate, take any special action required to protect the security and integrity of the ENCS network.
• A dispute regarding the application of policy as expressed above may be brought by a faculty member to the Director or the Associate Director of AITS for timely resolution.