Vulnerability management (Gina Cody School)
The procedures outlined below regulate machines allowed to receive network traffic initiated by devices outside the ENCS network:
- All security holes will be reported by e-mail to the responsible person (example: computer owner), Admin (technical admin contact/lab admin or a designated graduate student) and user recorded in the network database.
- Machines with already exploited holes will have their network connection blocked or will be placed in "network quarantine", depending on the severity of the case.
- If a machine/port has a remotely exploitable hole allowing the execution of arbitrary code and for which an exploit is known to be publicly available, it will be blocked at the firewall immediately. Accessibility will only reestablished when the vulnerability no longer exists.
- If a machine/port has a remotely exploitable hole allowing execution of arbitrary code and for which no exploit is known to be publicly available, the RP/Admin/User will be allowed a grace period of 5 working days to fix the problem. If after the grace period the vulnerability still exists, the RP/Admin/User will be notified by email and the access to the vulnerable port(s) will be blocked at the firewall, with accessibility only reestablished when the vulnerability no longer exists.
- If a machine/port has a vulnerability that is NOT remotely exploitable, or does NOT permit the execution of arbitrary code, the RP/Admin/User will be allowed a grace period of 30 days to fix the problem. If after the grace period the vulnerability still exists, the RP/Admin/User will be notified by email and the access to the vulnerable port(s) will be blocked immediately at the firewall, with accessibility only reestablished when the vulnerability no longer exists.
- Outward-facing ports must permit Nessus vulnerability scans. If no Nessus scan is accepted for 30 days, the firewall exception for that port is removed.
- In individual cases, full-time ENCS network administration staff and full-time faculty members may negotiate modifications to the terms, conditions, or procedures above with the modifications recorded to support ongoing research projects.
- Notwithstanding any of the points above, Concordia's IT department may, as permitted in their mandate, take any special action required to protect the security and integrity of the ENCS network.
- A dispute regarding the application of policy as expressed above may be brought by a faculty member to the Director or the Associate Director of AITS for timely resolution.