Middle Georgia State University Policy Manual

11.2.13 Vulnerability Assessment Policy

1.0 Overview

Almost daily new vulnerabilities are discovered in computer operating systems, network devices and application software. These vulnerabilities may be exploited by hackers and malicious logic. This exploitation may lead to loss of availability, confidentiality and integrity of data residing on the exploited systems as well as providing a launching point for exploitation of additional Middle Georgia State University network computing resources.

The Office of Cybersecurity is responsible for ensuring the integrity, confidentiality, and availability of Middle Georgia State University network computing resources, while minimizing the impact of security procedures and policies upon institutional productivity.

2.0 Purpose

The purpose of this policy is to empower the Office of Cybersecurity to conduct information security vulnerability assessments to identify areas of risk and implement corrective measures to strengthen system security.

3.0 Scope

Vulnerability assessments can be conducted on any entity within Middle Georgia State University or any outside entity that has been issued Middle Georgia State University IP addresses.

4.0 Policy

The Office of Cybersecurity is authorized to conduct vulnerability assessments to identify potential weaknesses and implement corrective actions to mitigate risks.

Vulnerability assessments may be performed periodically on all Middle Georgia State University computing resources or when a system’s security posture changes. System changes which affect a system’s security posture include initial operating system installation and subsequent reloads, firewall access requests and significant configuration changes.

Identified vulnerabilities will be reported to the system’s administrator for fix action. The execution, development and implementation of fix actions is the joint responsibility of The Office of Cybersecurity and the department responsible for the systems being assessed. Employees are expected to cooperate fully with any vulnerability assessment being conducted on systems for which they are held accountable. Should accountability be in question it is the responsibility of the department chair or director to designate someone.

The system administrator for the system will be given a deadline for completion of the fix action. In the event that the fix action will not be complete by the deadline, the Office of Cybersecurity must be notified and given the following information:

Contact Name:
Contact Phone Number:
Contact Email address:
Contact’s Department:
System IP address(s):
Reason for not completing a fix action by the deadline:
Date when fix action will be complete:
Measures taken to mitigate exposure of the identified vulnerabilities:

5.0 Enforcement

The Office of Cybersecurity may take actions necessary to mitigate the exposure of any vulnerabilities not corrected by the deadline, including but not limited to restricting access to the system through the firewall, requiring the removal of DNS registration, requiring the deactivation of network ports and other actions. Systems not fixed by the deadline will be reported to the CIO for review.

Exceptions to this policy or extensions to deadlines may be granted by the Chief Information Officer (CIO) or their designee, in consultation with the Chief Information Security Officer (CISO), when circumstances warrant deviation from standard vulnerability assessment requirements.

6.0 Definitions

Entity - Any unit, department, group, or third party, internal or external to Middle Georgia State University, responsible for maintaining MGA assets.

Vulnerability - A weakness or gap that could compromise the confidentiality, integrity, or availability of information assets and systems.

Malicious Logic - Hardware or software intentionally introduced into a system to cause harm or unauthorized actions.

Network Computing Resources – All University-owned or managed networks, computers, servers, and any device connected to the network.

IP (Internet Protocol) – The standard protocol for addressing and routing data across networks. System Administrator - The person held accountable for the system.

System Administrator – The individual accountable for the operation, maintenance, and security of a specific system