Guidance for the Internal Control Annual Information Assurance Certification Question

For details about the overall process and the annual certification question, see Internal Control Annual Certification Process.

Fiscal Year 2023 Question

My unit is regularly reviewing and remediating critical vulnerabilities within the timeframes specified in the Vulnerability Management (DS-21) standard.

Responses to FY23 Question

All units should be able to reply yes or partial to the FY23 question.

Guidance for Responding to the Question

To manage software and network vulnerabilities and protect university data and systems, Information Assurance (IA) conducts regular vulnerability scans. These automated scans are designed to identify software vulnerabilities, missing system patches, and improper configurations.

Units receive scan results and recommendations from IA. In addition, units are notified of new vulnerabilities that are posted as Security Alerts and sent via email to appropriate IT staff groups.

According to the Vulnerability Management (DS-21) standard, Critical vulnerabilities, with a rating of 9-10 (as defined by NIST’s Common Vulnerability Scoring system (CVSS)) should have an action plan within two weeks of receipt of scan results and be remediated within a month of receipt of scan results.

Supporting Materials

Answers to Your Questions

Security Unit Liaisons (SULs) can send questions to [email protected]. Information Assurance will post answers here to any inquiries received about this year's certification question.