Servers connected to the University's network must be scanned using a vulnerability management system approved collectively by the University's Information Security Officers (ISO) and Chief Information Security Officer (CISO).
The ISO at each business unit is responsible for implementing procedures in order to:
- Enroll servers in the Enterprise Vulnerability Scanning (EVS) service. The University uses Qualys to provide this service.
- Ensure scans are conducted on schedule.
- Develop/generate reports.
- Take appropriate action, as necessary, to protect information assets and infrastructure. Such actions include, but are not limited to:
- Scanning devices that appear to be causing disruptive behavior on the network to investigate the source of the disruption.
- Removing systems experiencing an active exploit from the network until satisfactorily patched or remediated.
- Requiring that administration of an exploited or vulnerable system be turned over to the central IT department in the event that the system administrator is unable to correct the problem satisfactorily.
Requirements
Vulnerability Remediation Timeframes
| Qualys Risk Level | Time Limit For Remediation |
|---|---|
| Level 1 | When technically and/or operationally feasible |
| Level 2 | When technically and/or operationally feasible |
| Level 3 | Must be patched or remediated to the satisfaction of the ISO within 60 calendar days |
| Levels 4 and 5 | Must be patched or remediated to the satisfaction of the ISO within 30 calendar days |
Any of these timeframes may be accelerated at the discretion of the appropriate ISO.
Existing Servers
- Every networked server must be enrolled in the EVS.
- An administrator account must be established on each server to be used solely for the purpose of conducting scans.
- Vulnerability assessments must be performed at least monthly. Failure to have monthly authenticated scans will result in the system being removed from the network.
- Scans shall be performed during hours that minimize disruption to normal business functions.
- System administrators must not make any temporary changes to networked servers for the sole purpose of passing a scan.
- Servers connected to the network cannot be specifically configured to block vulnerability scans from the authorized EVS.
- Vulnerabilities must be mitigated or eliminated through proper analysis and repair methodologies, in accordance with the University's Data Classification System and within the timeframes specified in the table above.
New Servers
- Effective January 1, 2014, no new servers can be placed into production until a vulnerability assessment has been conducted and vulnerabilities addressed.
- Scans will be conducted in accordance with procedures established by the ISO at each business unit but, at a minimum, before the server goes into production.
- Vulnerabilities must be mitigated or eliminated through proper analysis and repair methodologies, in accordance with the University's Data Classification System and within the timeframes specified in the table above.
Exceptions
An ISO may grant exceptions to the scanning requirement or to remediation of a discovered vulnerability at their discretion. Requests for such an exception including the justification must be submitted in writing according to procedures established by each ISO.
Reviewed 2021-12-03