Description

This Control addresses how the university scans for security vulnerabilities in information resources to prevent inappropriate or unauthorized access to information systems.
Draft Guidance

ADDED

  • Section 2.3 is added to clarify that vulnerability scanning is used to assess vulnerability impact and risk to university
  • Section 2.4 is added to specify that results of vulnerability scanning shall be used to inform actions to reduce risk to the university
  • Section 2.5 is added to specify that vulnerability scanning may inform responding to cybersecurity incidents
  • Section 4 includes new subsections to clarify how security vulnerability severity is categorized and timeframe for remediation
  • Section 4.1 addresses High or Critical Severity
  • Section 4.2 addresses Medium or Low Severity

REMOVED

  • Original Section 2 is deleted as the modified Applicability describes role of Division of IT

MODIFIED

  • Applicability is revised to reflect that the Division of IT conducts security vulnerability assessments across campus.

Applicability

  • A Unit head, or designee, will ensure that all information resources that connect to the University‚Äôs network undergo periodic security vulnerability assessments conducted centrally by the University's Division of Information Technology.

Implementation

  • 1

    A vulnerability assessment may include assessment(s) of any of the following information resources:

    • 1.1

      Network(s)

    • 1.2

      Operating system(s)

    • 1.3

      Application(s)

  • 2

    The Division of Information Technology security team is authorized to conduct security vulnerability and network scanning of devices attached to the University network on a periodic basis, or when significant new vulnerabilities potentially affecting the system are identified and reported. Information gathered from such scans will be used for assessing and managing security, which includes:

    • 2.1

      Notifying owners/custodians of vulnerabilities,

    • 2.2

      Identifying incorrectly configured systems,

    • 2.3

      Assessing vulnerability impact and overall risk to the University,

    • 2.4

      Taking necessary actions to reduce risk to the University,

    • 2.5

      Responding to cybersecurity incidents,

    • 2.6

      Validating firewall access requests, and

    • 2.7

      Gathering network census data.

  • 3

    Custodians of information resources found to be vulnerable will be contacted concerning any identified risk. The custodian is responsible for ensuring that the identified risk is remediated in a timely manner.

  • 4

    If identified vulnerabilities are not remediated, the affected information resource(s) may be isolated or disconnected from the campus network by the Division of Information Technology security team.

    • 4.1

      Information resources having security vulnerabilities with a CVSS score greater than 6.9 ("High or "Critical" severity):

      • 4.1.1

        Must be remediated within seven days of notification to maintain open ports through the campus firewall; and

      • 4.1.2

        Must be remediated within 30 days of notification to maintain access to the campus network.

    • 4.2

      Information resources having security vulnerabilities with a CVSS score less than 7.0 ("Medium" or "Low" severity):

      • 4.2.1

        Must be remediated within 30 days of notification to maintain open ports through the campus firewall; and

      • 4.2.2

        Must be remediated within 60 days of notification to maintain access to the campus network.

  • 5

    Vulnerability and network scanning of devices attached to the university's network may only be conducted by the Division of Information Technology or a person authorized by the CISO or designee. Scanning conducted by entities other than the Division of IT security team may not transit a router maintained by the Division of IT without permission from the CISO or designee.

  • 6

    Vulnerability and network scanning may not be conducted by students, including student systems in Residence Halls. There is no coursework or extracurricular activity that is exempt from this prohibition.