Vulnerability Management

Vulnerability Management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. Proactively managing vulnerabilities of systems will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding to an incident after an exploitation has occurred.

Vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system. Vulnerabilities can be exploited by a malicious entity to violate policies—for example, to gain greater access or permission than is authorized on a computer. There are three primary methods of remediation: installation of a software patch, adjustment of a configuration setting, and removal of affected software.

Our Role

The role of Georgia Tech Cyber Security is to monitor for high severity vulnerabilities and threats, as well as communicate relevant remediation information to system administrators. The system we use categorizes vulnerabilities into different levels of severity, with 4 being the lowest and 1 being the highest. While severity 3, 2, and 1 vulnerabilities are often due to actual exploitable code present in software, most of the severity 4 vulnerabilities are informational or due to misconfiguration of systems, servers, and firewalls. These are typically the most prevalent vulnerabilities on a system and the most easily remediated.

To review our list of standard configurations, please visit the following:

To improve our visibility into vulnerabilities impacting campus, please install the Qualys Cloud Agent (QCA) onto institute-owned machines by visiting:

Please see the following page for detailed QCA installation instructions:

Maturity Model

To better understand the state of vulnerability management we use the model depicted below to measure program maturity.

What the Vulnerability Management Process is Not

A replacement for patch management.

Patch management is the baseline all Information Technology organizations must meet and will be treated as such. This means that the owner (whether individual or group) of each machine is responsible for keeping that machine secure via a patch management program. Vulnerability management will be maintained for critical incidents, such as a high-profile vulnerability that should be patched outside of normal process due to the high severity and likelihood of rapid development of exploits. In such cases, your patch management program must be able to handle patch deployment on a drastically reduced time scale.

The Cyber Security Policy and the Data Protection Safeguards dictate that all institute assets (operating systems, applications, etc) deploy security patches within 30 days of release; a policy exception is required if this standard can’t be met. To submit a policy exception request please visit:

For more information on developing a patch management program that meets Institute requirements and follows best practices, visit: