Understanding the University’s Vulnerability Management Program

What Is the Vulnerability Management Program (VMP)?

The University Vulnerability Management Program (VMP) is a critical, campus-wide initiative designed to systematically and continuously identify, assess, prioritize, and remediate cybersecurity risks across the university's managed IT systems.

It is not a one-time process, but a continuous security cycle that works proactively to find flaws before attackers do. The scope includes all university-owned or managed infrastructure, servers, and devices that handle administrative, academic, or research data.

Program Goals and Impact

The VMP provides immense value to the university by reducing exposure to known cyber threats. Its primary goals are to:

• Detect and Address Risk: Proactively detect and address software and configuration vulnerabilities before they can be exploited by malicious actors, significantly lowering the university's overall risk profile.
• Support Compliance and Regulation: Ensure university systems remain compliant with internal security policies, as well as external regulatory requirements (such as HIPAA for medical data, FERPA for student records, and various federal guidelines for research integrity).
• Strengthen Security Posture: Systematically reduce the number of known openings, thereby strengthening the security posture of critical academic, administrative, and research systems that house intellectual property and sensitive data.
• Guide Investment: Provide data-driven insights to OIT leadership, allowing them to prioritize remediation efforts and allocate resources to address the highest-severity threats first.

How the Program Works: The Scan-Assess-Remediate Cycle

The VMP operates using industry-standard tools and a defined process that involves collaboration between the Information Security Office (ISO) and system owners (OIT departments, partners, and researchers).

1. Scanning Tools and Deployment

The university primarily uses Tenable Nessus for vulnerability scanning. This tool is deployed in two main ways:

Network Scanners:
These scanners operate externally to assess systems for vulnerabilities such as outdated services, open ports, and weak configurations—without requiring any software installation on the target system. They are used to scan publicly facing systems and internal network segments, identifying vulnerabilities without needing local access to the device.

Nessus Agents:
Lightweight software agents installed directly on university-managed servers and workstations. These agents provide deep, authenticated visibility into local configurations and installed software, offering the most comprehensive view of missing patches and misconfigurations.

We prioritize a non-intrusive experience for all users:

• Minimal Impact: The scanning process has minimal performance impact and typically completes without requiring any user interaction.

Key Advantages of Nessus Agents:

• Scan Offline: Detect vulnerabilities—such as missing patches and outdated software—even when a device is off the university network or disconnected from VPN.
• Run Authenticated Checks: Perform deep, local configuration checks that are more accurate and comprehensive than network-only scans.

2. Scan Frequency and Prioritization

Network and agent-based scans are conducted on a regular, scheduled basis to identify new vulnerabilities as soon as they emerge. Typically:

• Network Discovery scans: Mondays
• Network Host scans: Tuesdays
• Agent-based Host scans: Mondays, Wednesdays, and Fridays.

The exact schedule can be found here: <need to add the link>

The scanning tools assign a severity rating (e.g., Critical, High, Medium, Low) to each finding. This rating, based on the Common Vulnerability Scoring System (CVSS), along with other factors, is used by the ISO to prioritize remediation efforts, ensuring the most dangerous flaws are fixed first.

3. Results and Remediation

The final stage of the VMP cycle involves reviewing, taking action, and confirming security improvements.

• Review and Prioritization: Findings are first reviewed by the Information Security Office (ISO) to filter out false positives, assess the severity, and consolidate reports before distribution.
• Reporting: Detailed reports are shared with the relevant system owners responsible for the vulnerable system. System owners are notified of the priority and required remediation timeline.
• Remediation: System owners are expected to apply the necessary patches, update software versions, or correct misconfigurations within defined service level agreements (SLAs), especially for critical vulnerabilities.
• Verification: The ISO conducts continuous scanning that allows it to verify that the vulnerability has been successfully remediated. This verification status is reflected in subsequent scheduled reports to the system owners.
• Quarantine (High-Risk Enforcement): For specific, high-risk vulnerabilities (e.g., critical OS flaws, Apache Tomcat, Log4j, Print Nightmare, etc.), systems that remain vulnerable for over 60 days are quarantined from the Rice network. Please refer to the ISO Monthly Quarantine Policy for more details.

Privacy and Data Protection

The VMP is strictly focused on technical infrastructure integrity. The scans collect only technical metadata and configuration information.

Scan data collected includes:

• Operating System version (e.g., Windows 11, macOS Sonoma)
• List of installed software versions (e.g., Apache version, Java version)
• Missing security patches and updates
• Configuration settings (e.g., weak encryption protocols, open ports)

The scans DO NOT and CAN NOT access, view, or store personal user data, emails, browsing history, or the content of personal files. The VMP is governed by the university's data privacy policies to ensure all data collection is limited to security assessment purposes.