Vulnerability Management

To manage software and network vulnerabilities and protect university data and systems, Information Assurance (IA) works in partnership with units to identify vulnerabilities and ensure remediation in compliance with Vulnerability Management (DS-21).

Scanning

  • IA conducts regular vulnerability scans. These automated scans are designed to identify software vulnerabilities, missing system patches, and improper configurations. All U-M networks are scanned quarterly, and units can request on-demand and more frequent scans at no charge. See Vulnerability Scanning Services.
  • Units receive scan results and recommendations from IA. See a Sample IA Scan Report.

Notifications

  • IA alerts units to new vulnerabilities. IA tracks reports of new vulnerabilities and posts information about them at Security Alerts, as well as sending that information via email to appropriate IT staff groups.
  • Units are expected to follow IA recommendations for addressing newly discovered vulnerabilities.

Remediation of Vulnerabilities

  • Units remediate unit vulnerabilities. Units are expected to prioritize and remediate vulnerabilities within a timeframe based on the severity of the vulnerability. See Vulnerability Remediation.
  • Units are expected to routinely update unit software and systems and apply vendor security patches after appropriate testing.
  • U-M IT providers, such as Information & Technology Services (ITS) and Health & Information Technology Services (HITS) are expected to remediate vulnerabilities in the services they provide and to routinely update software and systems and apply vendor security patches after appropriate testing.

Support and Consultation

The IA Vulnerability Management team offers support and consultation. Contact the team through the ITS Service Center