Vulnerability management & vendor compliance standards published

padlock icon on digital background

(Copyright: maxkabakov/123RF)

Two new standards clearly define responsibilities regarding vulnerability management and vendor security and compliance, and updated and expanded guidance to help you meet those responsibilities is on Safe Computing. Andrew Rosenberg, interim U-M vice president for information technology and Michigan Medicine chief information officer, recently approved these two new standards:

  • Third Party Vendor Security and Compliance (DS-20). When a vendor service is used with university data, that data is at risk unless the vendor meets security and compliance requirements set by the university. Many serious data breaches reported in the news of late have resulted from issues with third party vendor services.
  • Vulnerability Management (DS-21). Updating and patching your systems on a routine basis and in response to security alerts helps protect university systems and data from zero-day attacks like Heartbleed. Timely vulnerability remediation is also an important component of regulatory compliance.

New guidance on Safe Computing outlines your responsibilities and describes how you can meet them to provide appropriate data protection:

  • Vulnerability Management Guidance. Information about regular and on-demand scans, vulnerability alerts from Information Assurance, and unit responsibilities for vulnerability remediation.
  • Third Party Vendor Security & Compliance Guidance. Information to help you select a vendor that meets compliance requirements, include IT security and privacy in your vendor contract, and manage ongoing vendor compliance. This is required when using a non-university product or service with university data.

The standards are living documents that will be reviewed and updated as needed. They will be implemented in a phased manner, so units will have some time to move toward full compliance.