For details about the overall process and the annual certification question, see Internal Control Annual Certification Process.
Fiscal Year 2023 Question
My unit is regularly reviewing and remediating critical vulnerabilities within the timeframes specified in the Vulnerability Management (DS-21) standard.
Responses to FY23 Question
All units should be able to reply yes or partial to the FY23 question.
- Yes. My unit consistently meets the Vulnerability Management (DS-21) standard’s timeframes for reviewing and remediating critical vulnerabilities.
- Partial. My unit often meets the Vulnerability Management (DS-21) standard’s timeframes for reviewing and remediating critical vulnerabilities.
- No. My unit consistently does not meet the Vulnerability Management (DS-21) standard’s timeframes for reviewing and remediating critical vulnerabilities.
Guidance for Responding to the Question
To manage software and network vulnerabilities and protect university data and systems, Information Assurance (IA) conducts regular vulnerability scans. These automated scans are designed to identify software vulnerabilities, missing system patches, and improper configurations.
Units receive scan results and recommendations from IA. In addition, units are notified of new vulnerabilities that are posted as Security Alerts and sent via email to appropriate IT staff groups.
According to the Vulnerability Management (DS-21) standard, Critical vulnerabilities, with a rating of 9-10 (as defined by NIST’s Common Vulnerability Scoring system (CVSS)) should have an action plan within two weeks of receipt of scan results and be remediated within a month of receipt of scan results.
Supporting Materials
Answers to Your Questions
Security Unit Liaisons (SULs) can send questions to [email protected]. Information Assurance will post answers here to any inquiries received about this year's certification question.