Vulnerability Management
Introduction
This Directive outlines standards for the Concordia community to support Coordinated Vulnerability Disclosure (CVD) and Vulnerability Management (VM) processes. The directive applies to all university digital assets and aims to establish a standardized approach to vulnerability management, aligned with Quebec government principles.
Why is this required? The Chief Information Security Officer issued this Directive under the Information Security Policy (VPSS-33). VPSS-33 is adopted in accordance with the Directive sur la sécurité de l’information gouvernementale (section 7) which requires public bodies to adopt and implement a policy on the security of information.
What this means for you
This directive establishes rules and procedures for handling IT vulnerabilities at Concordia and applies to all University digital assets including but not limited to information systems, network infrastructure, servers, desktop computers, laptops, mobile devices, operating systems, etc. It includes both cloud-based and on-premises solutions across all departments and units for all Concordia-owned assets. The aim is to manage vulnerabilities effectively and consistently across departments, aligning with government guidelines.
Key points include:
- Roles and responsibilities for the CISO, IITS Security Team, and IT Staff.
- Processes for identifying, logging, and mitigating vulnerabilities through CVD and VM processes.
- Criteria for assessing the severity of vulnerabilities and determining remediation timeframes.
- Guidelines for urgent situations requiring immediate action.
- Validation of mitigation efforts and record-keeping.
The directive also outlines the responsibility for implementing, auditing, and reviewing compliance with these rules, ensuring they meet internal and external standards.
Feedback
The Chief Information Security Officer is responsible for implementing, reviewing, and approving this Directive and for conducting regular reviews to ensure compliance with internal and external requirements. If you have any feedback or questions about this Directive, please email ciso@concordia.ca
For accessibility-related questions or feedback related to IT security incidents, email iits-accessibility@concordia.ca.