Skip to main content
Next-Gen. Now.
The Campaign for Concordia
Concordia University
Concordia University

IT Services

IT Services

Vulnerability Management

Introduction

This Directive outlines standards for the Concordia community to support Coordinated Vulnerability Disclosure (CVD) and Vulnerability Management (VM) processes. The directive applies to all university digital assets and aims to establish a standardized approach to vulnerability management, aligned with Quebec government principles.

Why is this required? The Chief Information Security Officer issued this Directive under the Information Security Policy (VPS-33). VPS-33 is adopted in accordance with the Directive sur la sécurité de l’information gouvernementale (section 7) which requires public bodies to adopt and implement a policy on the security of information.

What this means for you

This directive establishes rules and procedures for handling IT vulnerabilities at Concordia and applies to all University digital assets including but not limited to information systems, network infrastructure, servers, desktop computers, laptops, mobile devices, operating systems, etc. It includes both cloud-based and on-premises solutions across all departments and units for all Concordia-owned assets. The aim is to manage vulnerabilities effectively and consistently across departments, aligning with government guidelines.

Key points include:

  • Roles and responsibilities for the CISO, IITS Security Team, and IT Staff.
  • Processes for identifying, logging, and mitigating vulnerabilities through CVD and VM processes.
  • Criteria for assessing the severity of vulnerabilities and determining remediation timeframes.
  • Guidelines for urgent situations requiring immediate action.
  • Validation of mitigation efforts and record-keeping.

The directive also outlines the responsibility for implementing, auditing, and reviewing compliance with these rules, ensuring they meet internal and external standards.

Read the full Directive on Vulnerability Management

Feedback

The Chief Information Security Officer is responsible for implementing, reviewing, and approving this Directive and for conducting regular reviews to ensure compliance with internal and external requirements. If you have any feedback or questions about this Directive, please email ciso@concordia.ca

For accessibility-related questions or feedback related to IT security incidents, email iits-accessibility@concordia.ca.

Contact the service desk

Get user support and technical help

514-848-2424, ext. 7613
help@concordia.ca

Submit a ticket
More info

REPORT AN INCIDENT

If you feel something unsafe has occurred to your computer or network, please report the incident immediately.

Complete the form
 
Back to top

© Concordia University