The university conducts penetration testing of information resources based on risk management decisions. Penetration testing can be conducted internally or externally on the hardware, software, or firmware components of a system and can exercise both physical and technical controls.


  • The intended audience includes the Chief Information Security Officer (CISO), information resource owners and custodians.


  • 1

    It is the responsibility of the information resource owner to request penetration testing, based on risk management decisions

  • 2

    The Technology Services security team is authorized to coordinate with information resource owners to conduct penetration tests of information systems that store or process university data. Information gathered from such tests will be used for assessing and managing security.

  • 3

    Before deploying a website or mobile application that may process critical or confidential data, the information resource owner or custodian must request a vulnerability scan (See RA-5) and penetration test (See RA-2) conducted by the Technology Services security team.