Information Technology Services

Commitment to Information Security

Information Technology Services is responsible for creating a culture that is committed to information security. As an expression of this commitment, the Vulnerability Response Timeline provides guidelines for resolution and documentation of system vulnerabilities. These guidelines apply to systems and software supplied by Information Technology Services, University departments, and vendors.

Vulnerability Response Timeline 

All software systems and components will receive security updates on a regular, defined schedule. 

  1. All vulnerabilities categorized as HIGH must be resolved within 30 days.
  2. All vulnerabilities categorized as CRITICAL must be resolved within 7 days.*
  3. All vulnerabilities categorized as EMERGENCY must be resolved within 48 hours.** 

Every exception to the above requires the completion of a Risk Acceptance Form and the approval of an Asst. CIO or above. All exceptions should be reviewed on an annual basis. 

* At the discretion of the IT Security department, the severity of any specific vulnerability may be downgraded from CRITICAL to HIGH in cases where the initial severity score is determined to be inaccurate in the context of the actual software deployment or when effective mitigating controls have been put in place. 
** Any vulnerability, regardless of the initial categorization, can be upgraded to a severity of EMERGENCY by either the IT Security department or the administrators of the service to which the vulnerability applies.