Vulnerability Management

A vulnerability is defined in the Information Security Office (ISO) 27002 standard as "a weakness of an asset or group of assets that can be exploited by one or more threats."

Vulnerability Management (VM) is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g., in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization). Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation, etc.

VM Program Team

The UMIT ISO's VM Program Team conducts routine scans of devices connected to the University of Miami Network resources to identify system and application vulnerabilities.

Why Do We Need Vulnerability Management?

The increasing growth of cyber-crime and its associated risks are forcing most organizations to pay more attention to information security. A vulnerability management process should be part of an organization’s effort to control information security risks. This process will allow an organization to obtain a continuous overview of vulnerabilities in their IT environment and the risks associated with them. Only by identifying and mitigating vulnerabilities in the IT environment can an organization prevent attackers from penetrating their networks and stealing information.

Today, most universities only see about 40% of their systems with their network scans. The Vulnerability Management Project can broaden our network scanning capabilities and introduce credential scanning for a deeper look into the layers of our network. It will also provide role-based reporting, identify security gaps, and allow for remediation.

The VM Process

A vulnerability management process consists of five phases:

  1. Preparation
  2. Vulnerability scan
  3. Define remediating actions
  4. Implement remediating actions
  5. Rescan

We require all administrators of systems connected to UM networks to routinely review the results of vulnerability scans and evaluate, test, and mitigate system and application vulnerabilities appropriately. Should an administrator identify a reported vulnerability as a potential false positive, please consult our office to verify it. 


When conducting university business on the UM network, vulnerabilities must be remediated. This includes technical vulnerabilities related to the security configuration of devices, security updates for the operating system, and all software applications. Take steps as advised by the ISO VM Program Team to remediate the vulnerabilities identified.

Remediation may include one or more of the following:

  • Patching or upgrading vulnerable software (the plan should include testing the patch/upgrade)
  • Replacing the vulnerable software with a different product
  • Consolidating or moving to a more controlled environment
  • Changing the system configuration: 
    • Disabling or turning off the vulnerable service
    • Disabling a specific vulnerable feature or capability within the service
  • Setting, changing or using a more complex password
  • Limiting access using a firewall or filter
  • Increase monitoring to detect anomalies
  • Raising awareness of the vulnerability with users

Depending on the urgency with which the vulnerability needs to be addressed, the actions taken should be carried out as directed by the Information Security Office, according to university security policies,(Network Vulnerability Scanning and Penetration Testing Procedure) procedures, and other escalation processes. 

Request A Scan

To request the services of the Vulnerability Management Program, please submit a service ticket through the UMIT IT Service Management System (UService) and assign it to Security Compliance. 

For assistance, please contact the UMIT Service Desk: