Cyber vulnerability management policy

Purpose

The purpose of the University Cyber Vulnerability Management policy is to establish a structured and systematic approach to identification, assessment, prioritisation, and remediation of security vulnerabilities within its information technology (IT) infrastructure. This policy plays a crucial role in the University’s overall cybersecurity strategy and aims to enhance its ability to maintain a secure and resilient IT environment.

Scope

This policy applies to:

• All systems and services which connect to the University network.

The policy will be communicated to users and relevant external parties by publication on the University website.

Objectives

The University’s objectives for this policy are to:

• Protect the confidentiality, integrity, availability of University information.
• Safeguard the University’s information from security threats that could have an adverse effect on its operations or reputation.
• Instil a culture which actively encourages effective management of cyber vulnerabilities.

Policy

The University shall conduct automated vulnerability scans against systems and services DTS manages using commercial tools and will report identified vulnerabilities to systems or service owners for remediation.

From time to time the University may conduct penetration tests or other vulnerability detection procedures at the discretion of Digital and Technology Services’ (DTS) Cyber Security team.

Asset Management: The University shall maintain an up-to-date inventory of assets under DTS management. This inventory is essential for accurately assessing and managing vulnerabilities.

Vulnerability Identification and Assessment: This task shall be conducted regularly against each of the systems and services owned or managed by DTS.

Vulnerability Remediation Prioritisation: Vulnerabilities shall be prioritised and remediated according to criticality.

Vulnerability Remediation: The Cyber Security team shall identify vulnerabilities to appropriate service owners or managers for remediation.

Stakeholder Communication: The Cyber Security Team shall report vulnerability remediation trends to stakeholders using the monthly Cyber Security Threat Report and at monthly DTS Service & Operations board meetings.

Legal & Regulatory Obligations

The University of Dundee has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements.

A non-exhaustive summary of the legislation and regulatory obligations that contribute to the form and content of this policy is provided in IT policies - relevant legislation.

Responsibilities

The following bodies and individuals have specific information security responsibilities:

• The University Digital Committee has executive responsibility for information security within The University. Digital Committee has responsibility for overseeing the management of the information security risks to the University's information assets.
• The Director, DTS is responsible for establishing and maintaining The University’s cyber security management framework to ensure the availability, integrity and confidentiality of The University’s information.
• The University’s Digital and Technology Services (DTS) is accountable for the effective implementation of this policy and supporting information security rules and standards.
  • The DTS Cyber Security Team are responsible for management of the Cyber Security Vulnerability management tools and for reporting findings to stakeholders, including service owners, DTS management, and other interested parties as required.
  • DTS technical systems or service owners are responsible for assessing the vulnerability reports provided them by the Cyber Security Team, and for implementing remediations according to the deadlines in the University Patch Management Policy.
• Line Managers are responsible for ensuring that service owners in their teams complete vulnerability remediation according to the deadlines in the University Patch Management Policy.
• Owners or managers of non-centrally managed systems are responsible for ensuring that these systems are not vulnerable to known security issues for which fixes are available.

Supporting Policies, Codes of Practice, Procedures and Guidelines

Supporting policies have been developed to strengthen and reinforce this policy statement. These, along with associated codes of practice, procedures and guidelines are published together and are available for viewing on the University of Dundee website.

All staff users and any third parties authorised to access the University’ network or computing facilities are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.

Compliance and Breach of Policy

The University shall conduct cyber security compliance and assurance activities, facilitated by the University’s cyber security staff to ensure cyber security objectives and the requirements of the policy are met. Failure to follow the policy will be treated seriously by the University and may result in enforcement action. If you have any questions or concerns about this policy, please discuss them with your line manager.

Review and Development

This policy, and supporting documentation, shall be reviewed, and updated when best practice or the legislative/regulatory environment changes to ensure that they:

• remain operationally fit for purpose.
• reflect changes in technologies.
• are aligned to industry best practice.
• support continued regulatory, contractual, and legal compliance.

Changes to this policy will follow Digital Committee procedure.

Further Information

Definitions

Availability

Property of being accessible and usable upon demand by an authorized entity.

Confidentiality

Property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

Data

Information in raw form.

Information

The result of processing, manipulating, or organising data. Examples including but not limited to; text, images, sounds, codes, computer programmes, software, and databases.

Integrity

Property of accuracy and completeness.

Staff

Staff are salaried members of the University or contracted individually by the University to provide a service.

Student

A person matriculated to pursue any course of study in the University.

University

The University of Dundee is a Scottish Registered Charity, No. SC01509 with its registered office at Tower Building, Nethergate, Dundee DD1 4H.

Relevant Legislation

A statement of regulations with relevance to this policy can be found at IT policies - relevant legislation.

Questions

If you have any questions regarding this policy please contact the University’s Help4U service: