Information Security

Vulnerability and Patch Management Overview

Last modified 7/7/2025

Introduction

Vulnerability management is a process by which the vulnerabilities identified through scanning are tracked, evaluated, prioritized, and managed until the vulnerabilities are remediated or otherwise appropriately resolved. Managing the vulnerabilities identified during scans ensures that appropriate actions are taken to reduce the potential that these vulnerabilities are exploited and thereby reduce risk of compromise to the confidentiality, integrity, and availability of information assets.

Security patch management (patch management) is a practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. By applying security related software or firmware updates (patches) to applicable IT systems, the expected result is reduced time and money spent managing vulnerabilities and responding to security incidents. 

As covered in the overviews below, the documents listed in this KB are listed in a ranked order. ISU Policy documents provide authority and enforceability to playbooks and standards. The playbooks are the next highest priority for the highest risk vulnerabilities. The Vulnerability Management Standard is the next in precedence for risk management, then the Patch Management Standard follows. Team/departmental standards, processes, procedures, and baselines ("Configuration Management") follow and must align with the University policies, playbooks, and standards.

This document provides guidance on the various policies, playbooks, and standards related to vulnerability and patch management. Reference the original documents for authoritative information.

Document Overviews

  • ISU Policies

9.2 Policy on Appropriate Use of Information Technology Resources and Systems

9.8 Information Security Program Policy

The 9.2 Appropriate Use Policy establishes a University Policy on the appropriate use of information technology resources. The policy ensures that information technology resources are used and maintained in furtherance of the University mission, and the policy mandates compliance with legal and regulatory missives.

The 9.8 Information Security Program Policy establishes a University security program and grants authority to the Information Security Office to publish documentation in furtherance of the security program, such as standards and playbooks. The policy also creates an enforcement mechanism for vulnerability and patch management standards and playbooks.

  • High Risk Vulnerability Response Playbook

High Risk Vulnerability Response Playbook

The High Risk Vulnerability Response Playbook is the highest ranking vulnerability document, superseding the Urgent Risk Playbook and standards as necessary. This playbook manages the risk of the most critical vulnerabilities - often requiring immediate remediation.


  • Urgent Risk Vulnerability Response Playbook

Urgent Risk Vulnerability Response Playbook

The Urgent Risk Vulnerability Response Playbook is the second highest ranking vulnerability document, superseding standards as necessary (not High Risk Playbook). This playbook manages high risk vulnerabilities- often requiring prompt remediation.

  • Vulnerability Management Standard

Vulnerability Management Standard

The Vulnerability Management Standard establishes the obligation to perform vulnerability management for ISU systems and to remediate vulnerabilities meeting specific criteria. This standard manages vulnerabilities below the risk level of the response playbooks but above the risk level of the Patch Management Standard.

  • Patch Management Standard

Patch Management Standard

The Patch Management Standard establishes the obligation to perform security patch management for ISU systems. This standard manages risk below the level of the response playbooks and the vulnerability standard.

  • Other Configuration Documents

Other non-standard configuration documentation may be published by the Information Security Office and is lowest precedence. Local IT teams are empowered and encouraged to create configuration documentation (processes, procedures, standards, baselines, etc.) that align with the security program and tactically extend the above requirements to local teams.

Flow Diagram

This diagram demonstrates the high level relationship between documents and summarizes the criteria for evaluating document applicability. Reference the original documents for authoritative information.

Standard Mgmt Digram

Additional Information

Supporting References


The following information provides supporting references that informed the development of this guidance:

Appropriate Use Policy: https://policy.illinoisstate.edu/technology/9-2/

Information Security Program Policy: https://policy.illinoisstate.edu/technology/9-8/

Vulnerability Playbooks: High Risk Vulnerability Response Playbook Urgent Risk Vulnerability Response Playbook

NIST 800-40 Guide to Enterprise Patch Management: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r4.pdf

NIST 800-53 Security and Privacy Controls: https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final

CIS Controls v8.1: https://www.cisecurity.org/controls/v8-1

CIS Patch Management Standard: https://www.cisecurity.org/-/media/project/cisecurity/cisecurity/data/media/files/uploads/2020/06/Patch-Management-Standard.docx

CIS Vulnerability Management Standard: https://www.cisecurity.org/-/media/project/cisecurity/cisecurity/data/media/files/uploads/2020/06/Vulnerability-Scanning-Standard.docx

Feedback

To suggest an update to this article, ISU students, faculty, and staff should submit an Update Knowledge/Help Article request and all others should use the Get IT Help form.