Standard number: DS-21
Date issued: 3/5/2018
Date last updated: 7/1/2026
Date last reviewed: 7/1/2026
Date of next review: 7/1/2028
Version: 2.0
Approval authority: Vice President for Information Technology and CIO
Responsible office: Information Assurance
This Standard supports and supplements the Information Security (SPG 601.27) policy. It will be periodically reviewed and updated as necessary to meet emerging threats, changes in legal and regulatory requirements, and technological advances.
I. Overview
Vulnerabilities within networks, software applications, and operating systems are an ever present threat. Vulnerability management is a critical component of the university’s information security program, and is essential to help reduce financial, reputational and regulatory risks.
Vulnerability scanning of systems and applications on U-M networks is an automated process that identifies vulnerabilities due to server or software misconfigurations, improper file settings, or outdated software versions. Regular vulnerability scanning, along with timely and consistent implementation of security patches and other mitigation measures, are critical components in protecting the U-M network, systems, and data from damage or loss, as well as meeting regulatory and compliance requirements.
This Standard establishes a framework for vulnerability management at the University of Michigan, including:
- Deployment of the enterprise vulnerability management system.
- Scanning frequency.
- Classification and prioritization of vulnerabilities.
- Vulnerability remediation requirements.
Vulnerability scanning is limited to reviewing system and application configuration, and does not open or review content found in email or digital documents.
Federal or state regulations, industry standards, or contractual agreements may require additional measures that exceed those included in this Standard.
II. Scope
This standard applies to the Ann Arbor campus, Michigan Medicine, UM-Dearborn, UM-Flint, and all affiliates. It applies to all faculty, staff, workforce members, and sponsored affiliates connecting to university-owned and managed networks.
This standard applies to all systems that connect to university-owned and managed networks, including personally owned devices as defined in Security of Personally Owned Devices That Access or Maintain Sensitive University Data (SPG 601.33).
III. Standard
Enterprise Vulnerability Management System
To ensure the university’s ability to identify and remediate vulnerabilities, all university-owned systems, regardless of location and the sensitivity level of institutional and research data they create, process, maintain, transmit, or store, must have the enterprise vulnerability management system installed.
Vulnerability Scanning Frequency
Monthly University Scanning: All systems, databases, and applications connecting to university-owned and managed networks must be scanned on a monthly basis. IA performs routine monthly vulnerability scans on the entire network IP address space registered to U-M. U-M units can request that IA conduct additional or more frequent scans.
Vulnerability Prioritization and Remediation
Vulnerabilities are classified into priority levels informed by multiple considerations, including threat level, exposure, asset criticality, and compensating controls.
Vulnerabilities must be resolved within the following timeframes from the time a remediation is available:
| Priority Level | Resolved Within |
| Urgent | 2 Weeks |
| Critical | 1 Month |
| High | 3 Months |
See Vulnerability Remediation guidance for definition of priority levels.
IA may require faster action and resolution for specific vulnerabilities based on the level of risk they introduce.
Vulnerabilities with lower priority levels can be resolved based on availability of staff resources to address them.
Note: Vulnerability scanning reports are IT security information and classified as High sensitivity.
Exception Process
In limited situations, some systems may not be compatible with requirements in this standard, for example when:
- Systems have conflicts that prevent the installation of the enterprise vulnerability management system.
- A specific technical or business limitation prevents the remediation of vulnerabilities within the timeframes specified in this standard.
These situations must be documented by units and reviewed by IA.
Follow the Vulnerability Remediation guidance for details on how to document and submit requests for exceptions to requirements in this standard.
IV. Roles and Responsibilities
University Chief Information Security Officer (CISO)
- Take action to ensure that unremediated systems or applications do not pose a threat to U-M information resources.
- Authorize blocking of systems or applications from the U-M network when a critical vulnerability is not properly remediated within the required timeframe.
ITS Information Assurance (IA)
- Administer the enterprise vulnerability management system.
- Conduct routine enterprise-wide scans of devices connected to U-M networks.
- Provide assistance in prioritizing and interpreting scan results, reporting false positives, troubleshooting scan issues.
- Issue alerts and advisories about known vulnerabilities.
- Recommend remediation based on information from vendors, reliable websites, MS-ISAC, U.S. CERT, and other trusted information security sources.
IT Staff
IT Staff include centralized services providers, responsible for core infrastructure like managed operating systems and centralized software catalogs, and unit-based administrators, responsible for specialized software, local configurations, and device connectivity.
- Ensure the implementation of the enterprise vulnerability management system.
- Coordinate the program for respective management domains.
- Monitor systems and applications for vulnerabilities and assess and timely apply vendor-supplied security patches and other remediations.
- Communicate to unit leadership if university-owned systems and applications in their units are at a high, critical or urgent risk of vulnerability exploitation.
- In consultation with IA, choose to impose stricter unit requirements for vulnerability management than specified in this standard.
End Users
- For university-owned devices, run available updates, reboot the system when necessary, allow patches to run, and cooperate with IT staff as needed.
- For personally owned devices that connect to university-owned and managed networks or university-owned systems, maintain up-to-date device-appropriate security safeguards.
V. Violations and Sanctions
Violations of this Standard may result in disciplinary action up to and including suspension or revocation of computer accounts and access to networks, non-reappointment, discharge, dismissal, and/or legal action. In addition, the connectivity of machines and servers to the U-M network that do not comply with this Standard may be limited or disconnected.
Discipline (SPG 201.12) provides for staff member disciplinary procedures and sanctions. Violations of this policy by faculty may result in appropriate sanction or disciplinary action consistent with applicable university procedures. If dismissal or demotion of qualified faculty is proposed, the matter will be addressed in accordance with the procedures set forth in Regents Bylaw 5.09. In addition to U-M disciplinary actions, individuals may be personally subject to criminal or civil prosecution and sanctions if they engage in unlawful behavior related to applicable federal and state laws.
Any U-M department or unit found to have violated this policy may be held accountable for the financial penalties, legal fees, and other remediation costs associated with a resulting information security incident and other regulatory non-compliance.
VI. Implementation
ITS Information Assurance is responsible for the implementation, maintenance, and interpretation of this Standard.
VII. References
- Information Security Policy (SPG 601.27)
- Security of Personally Owned Devices That Access or Maintain Sensitive University Data (SPG 601.33)
- Vulnerability Scanning Capabilities
- Vulnerability Management
VIII. Related NIST Security Controls
- NIST SP 800-53 Revision 5
- RA-05 Vulnerability Scanning
- SI-02 Flaw Remediation