SI.L1-B.1.XII
Flaw Remediation

FCI Data

Security Requirement

Identify, report, and correct information and information system flaws in a timely manner.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

Devices must meet security standards including updates, configurations, and vulnerability protections. IT staff are responsible for applying patches and maintaining system integrity.

NIST Cybersecurity Framework v2

  • Protect (PR): PR.AA-01 - Identities are managed for authorized users, processes, and devices.
  • Protect (PR): PR.AA-03 - Access to assets and associated facilities is limited to authorized users, processes, and devices.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List how system and software flaws (vulnerabilities) are identified (e.g., vulnerability scanning, vendor alerts).
  • List the process for reporting and tracking identified vulnerabilities.
  • List how patches and updates are tested and applied, and who is responsible.
  • List any additional tools, schedules, or review procedures related to system flaw remediation.

Document How

  • the time within which to identify system flaws is specified
  • system flaws are identified within the specified time frame
  • the time within which to report system flaws is specified
  • system flaws are reported within the specified time frame
  • the time within which to correct system flaws is specified
  • system flaws are corrected within the specified time frame

Example

quote block

USU conducts vulnerability scans using scanning tools. IT administrators receive vendor alerts for critical systems and software, and any high-risk issues are prioritized for patching within 30 days. Patch management is coordinated through centralized tools for both servers and endpoints. Documentation is maintained for scan results, patch schedules, and remediation status.

quote block

Endpoint Management Tools (e.g., Intune, Jamf)

What it does:
  • Allows USU IT to remotely configure, secure, and manage university-owned endpoints.
  • Enforces security policies, deploys software updates, ensures disk encryption, and maintains device compliance reporting.
How it helps a researcher:
  • Ensures research devices are consistently secured and compliant with institutional requirements.
  • Automates critical security tasks like patching, antivirus enforcement, and encryption.
Example:
  • A macOS laptop in a research lab is managed through Jamf. It receives updates, enforces FileVault encryption, and restricts unapproved software. Non-compliant systems are flagged and restricted from accessing sensitive research systems.

Vulnerability Scanning Tools

What it does:
  • Scans endpoints, servers, and services for known vulnerabilities, outdated software, and misconfigurations.
How it helps a researcher:
  • Ensures research systems are routinely checked for vulnerabilities that could be exploited to access FCI.
  • Helps prioritize patching efforts and reduce the attack surface of sensitive systems.
Example:
  • A scan identifies an outdated web framework on a lab server. IT applies the update within 7 days and documents the remediation per university policy.

Security Awareness Training

What it does:
  • Provides training on cybersecurity topics such as phishing, password hygiene, data handling, and physical security.
  • Includes phishing simulations to reinforce learning and test user resilience.
How it helps a researcher:
  • Empowers researchers to recognize and respond to threats like phishing and social engineering.
  • Ensures users understand their role in protecting FCI and university systems.
Example:
  • A researcher receives a suspicious email and, recalling recent training, reports it. The message is identified as part of a targeted campaign and blocked for others.

Vendor Notification Subscriptions

What it does:
  • Provides alerts from software and hardware vendors about vulnerabilities, patches, and security advisories.
How it helps a researcher:
  • Enables IT staff to proactively apply updates and reduce exposure to known exploits.
  • Helps maintain compliance with patch management requirements for protecting FCI.
Example:
  • USU IT receives a Microsoft alert about a zero-day vulnerability. They prioritize patching all affected research systems before the exploit is active.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review patch management policies, vulnerability scan results, and remediation logs.
  • Interview:
    • Ask IT staff how vulnerabilities are discovered, prioritized, and patched.
  • Test:
    • Review sample scan results and follow the remediation timeline and documentation trail.

Objects (examples of items you could present to the auditor)

  • Vulnerability Scan Reports: With dates and issue severity.
  • Patch Management Policies: Describing update schedules and responsibilities.
  • Remediation Logs: Tracking patching and mitigation activity.
  • Test/Approval Records: For patch testing prior to deployment.
  • Ticketing System Records: Showing vulnerability reports and resolution tracking.
  • Vendor Advisory Subscriptions: Showing proactive flaw identification sources.