Any vulnerable system that has been identified as a risk to the university is subject to removal from the network until such time as the risk can be addressed. There will be a grace period for each system, defined by the level of severity of the vulnerability. The grace period will be communicated to you by the Information Security Office or the Office of Information Technology, allowing the risk to be addressed before the system is removed from the network.

In the majority of cases, a vulnerability can be resolved by applying a patch or series of patches, usually provided by the operating system or application vendor (i.e. Microsoft, Apple, Adobe, etc.) or simply updating the operating system or application to its latest version.  Work with your OIT representatives or the helpdesk if you have concerns or questions about how to do this.  

In some cases, patching or updating a system can be problematic for a variety of reasons. If this situation applies to you, OIT and ISO recommend that you attempt to mitigate the vulnerability by taking one or more of the following actions, which will minimize the risk to the university, and then request a temporary exception. This will allow your system to remain on the network for a time while you attempt to address the risk to the university. 

• Implement third-party support agreements for extended hardware or software support
• Disallow remote access to the system
• Relocate research data, personally identifiable information (PII), and financial or other critical data to a more secure system
• Reduce and/or remove all services not specifically required by the core function of the system (such as SMB, FTP, and RDP)
• Upgrade all required service software to current versions
• Discontinue using the system for normal user-based operations (such as web browsing and email clients)
• Remove user applications not required for primary function (personal user apps, i.e. email browsers)
• Restrict access to the system by using host-based firewall configurations to limit access to mission-critical functions
• Restrict outbound access to only critical local sites
• Restrict user access to the system
• Disable or remove file-sharing services
• Disable USB support on the device
• Enable multi-factor authentication for system access
• Ensure that the system is configured with centralized management controls and end-point management solutions (i.e. MSAD, JAMF, RH Satellite)
• Install antivirus and anti-malware software that is updated regularly
• Review systems configurations with professional OIT staff regularly
• Remove or disable unused local credentials and back doors

As always, OIT and the ISO will work with you to evaluate and apply controls that address your specific issue. 

Should you feel that you require an exemption from having your system or systems removed from the network, you may initiate a Conditional Exception Request, which will go to the CIO for review and approval. You will have 30 days to complete this process or the vulnerable system may be removed from the network. The Conditional Exception Request Form is attached here. Please review the form before requesting an exception.

To be able to request an exception, the following criteria must be met:

• The system cannot be compromised or publicly accessible (contain viruses, malware, or command and control software or have a public IP address).          
• The system cannot have access to or contain Rice confidential or sensitive data  (email, FERPA  data, ePHI/PII, financial or research data, unrestricted file services).      
• The system must have a defined Owner and Steward.       
• System / Service must be critical to Rice University or Department operations.     

Process Steps:

1. Form is sent to the identified "Form Filler" via email. This is the person who will provide the relevant system information, the purpose of the system, the justification for requesting an exception, and a remediation plan to resolve the issue.

2. Form is sent back to ISO staff for review and assignment of a severity risk level.

3. Form is then sent to the Owner for signature in Adobe Sign with the noted risk level.

4. Form is then sent to the ISO Management and the CIO for review and approval.