· Instruct systems, applications, and services administrators on the appropriate use of vulnerability scanning for all University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy ( IV.06.02 ).
· Requirements identified herein reduce risks to the confidentiality, integrity and availability of university data and systems (“information assets”).
This Standard applies to all University owned computing and information resources.
· University owned systems SHALL be registered and configured by system, application, and service administrators in conjunction with the ISO to enable ongoing vulnerability management.
· Vulnerabilities identified MUST be addressed in a timely manner, based on their Vulnerability Risk, not to exceed:
o 30 days for critical risk vulnerabilities (9.0 -10.0)
o 90 days for high-risk vulnerabilities (7.0 -8.9)
o 120 days for medium risk vulnerabilities (4.0 -6.9)
o As time allows for low-risk vulnerabilities (0.1 -3.9)
Vulnerability Scanning – Classification Designations
Information System Classification
M – Mandatory; R – Recommended; NR – Not Required
High Risk (Red)
Low Risk (Green)
Workstations: laptops, desktops
Application Systems: Web-layer, middleware, databases, etc.
Network Infrastructure Devices: Routers, Firewalls, Switches, Aps, etc.
Mobile Devices: tablets, smartphones, etc.
Internet of Things (IoT) Systems
In the event the standard cannot be achieved by reasonable means, you can request an exemption by completing the Information Security Standard Exemption Request form. Be ready to provide details as to why the standard cannot be followed, the duration of the exemption request and mitigating controls being put in place to meet the requirement.
Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System. EthicsPoint is available here.
Violations of this standard could include failing to register the system with the vulnerability scanning service, not allowing root or administrator access to system from the vulnerability scanning service, or misuse of any of the information in the vulnerability scanning service.
Guidelines related to the implementation of this standard can be found on the Information Security Office website.
If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at email@example.com.
· University Information Security Program Policy
· University Acceptable Use Policy
· University Information Asset Classification & Management Policy
· Data Security Classification Table
· Vulnerability Scanning Service Overview (must be logged into TDX to view):
· Vulnerability Scanning FAQ (Frequently Asked Questions) (must be logged into TDX to view):
Information Security Office (ISO)
Information Security and Privacy – Governance sub-Committee (ISP-GC)
Chief Information Security Officer: