Description
Applicability
-
A Unit head, or designee, will ensure that all information resources that connect to the University’s network undergo periodic security vulnerability assessments conducted centrally by the University's Division of Information Technology.
Implementation
-
1
A vulnerability assessment may include assessment(s) of any of the following information resources:
-
1.1
Network(s)
-
1.2
Operating system(s)
-
1.3
Application(s)
-
1.1
-
2
The Division of Information Technology security team is authorized to conduct security vulnerability and network scanning of devices attached to the University network on a periodic basis, or when significant new vulnerabilities potentially affecting the system are identified and reported. Information gathered from such scans will be used for assessing and managing security, which includes:
-
2.1
Notifying owners/custodians of vulnerabilities,
-
2.2
Identifying incorrectly configured systems,
-
2.3
Assessing vulnerability impact and overall risk to the University,
-
2.4
Taking necessary actions to reduce risk to the University,
-
2.5
Responding to cybersecurity incidents,
-
2.6
Validating firewall access requests, and
-
2.7
Gathering network census data.
-
2.1
-
3
Custodians of information resources found to be vulnerable will be contacted concerning any identified risk. The custodian is responsible for ensuring that the identified risk is remediated in a timely manner.
-
4
If identified vulnerabilities are not remediated, the affected information resource(s) may be isolated or disconnected from the campus network by the Division of Information Technology security team.
-
4.1
Information resources having security vulnerabilities with a CVSS score greater than 6.9 ("High or "Critical" severity):
-
4.1.1
Must be remediated within seven days of notification to maintain open ports through the campus firewall; and
-
4.1.2
Must be remediated within 30 days of notification to maintain access to the campus network.
-
4.1.1
-
4.2
Information resources having security vulnerabilities with a CVSS score less than 7.0 ("Medium" or "Low" severity):
-
4.2.1
Must be remediated within 30 days of notification to maintain open ports through the campus firewall; and
-
4.2.2
Must be remediated within 60 days of notification to maintain access to the campus network.
-
4.2.1
-
4.1
-
5
Vulnerability and network scanning of devices attached to the university's network may only be conducted by the Division of Information Technology or a person authorized by the CISO or designee. Scanning conducted by entities other than the Technology Services security team may not transit a router maintained by Technology Services without permission from the CISO or designee.
-
6
Vulnerability and network scanning may not be conducted by students, including student systems in Residence Halls. There is no coursework or extracurricular activity that is exempt from this prohibition.