Artificial Intelligence is rapidly changing the sphere of cybersecurity threats to IT infrastructures. The number of attacks targeting the university is increasing, while the time between identification and exploitation is decreasing. ITS Information Assurance (IA) is cognizant of the shifting threat landscape and is finalizing updates to the Vulnerability Management (DS-21) standard.
Vulnerability management is a critical component of the university’s information security program and is essential to protecting U-M data and systems and reducing financial, reputational, and regulatory risks. To manage vulnerabilities in an effective and timely manner, IA works in close partnership with units. The DS-21 standard establishes compliance requirements for this important work.
New Enrollment Requirement and Exception Process
A notable change to the standard is the requirement for “all university-owned systems, regardless of location and the sensitivity level of institutional and research data they create, process, maintain, transmit, or store” to enroll in the enterprise vulnerability management system (Tenable). The standard introduces a process by which units can request exceptions for systems with conflicts that prevent the installation of Tenable.
Changes to Prioritization and Remediation Guidelines
Previously, there were two priority levels, Critical and High, with timeframes for resolution of 1 month and 3 months, respectively. A new priority level, Urgent, has been added, with a 2-week resolution timeframe. The updated severity levels and remediation timeframes are informed by multiple considerations, including threat level, exposure, asset criticality, and compensating controls. This updated framework, supported by Tenable reporting, will enable unit staff to better focus their remediation efforts.
Clarification of Roles and Responsibilities
The revision simplifies and clarifies roles and responsibilities for IA and IT staff and introduces a set of responsibilities for end users around keeping devices up-to-date on security safeguard. A draft of the revision is available for review on the VPIT-CIO website.
