Vulnerability Scanning Standard

Purpose

·      Instruct systems, applications, and services administrators on the appropriate use of vulnerability scanning for all University of Oregon ("University") computing and information resources, as required by the Information Asset Classification and Management Policy ( IV.06.02 ).

·      Requirements identified herein reduce risks to the confidentiality, integrity and availability of university data and systems (“information assets”).

Applies To

This Standard applies to all University owned computing and information resources.

 

Definitions

See ISO Standards - Glossary and Iconography for details.

 

Standard

·      University owned systems SHALL be registered and configured by system, application, and service administrators in conjunction with the ISO to enable ongoing vulnerability management.

·      Vulnerabilities identified MUST be addressed in a timely manner, based on their Vulnerability Risk, not to exceed:

o   30 days for critical risk vulnerabilities (9.0 -10.0)

o   90 days for high-risk vulnerabilities (7.0 -8.9)

o   120 days for medium risk vulnerabilities (4.0 -6.9)

o   As time allows for low-risk vulnerabilities (0.1 -3.9)

 

Vulnerability Scanning – Classification Designations

 

Information System Classification 

M – Mandatory; R – Recommended; NR – Not Required 

Environment 

High Risk (Red) 

Moderate Risk  

(Amber) 

Low Risk (Green) 

Servers 

M

M

Workstations: laptops, desktops

M

M

M

Application Systems: Web-layer, middleware, databases, etc. 

M

M

M

Network Infrastructure Devices: Routers, Firewalls, Switches, Aps, etc.

M

M

M

Mobile Devices: tablets, smartphones, etc.

M

M

M

Internet of Things (IoT) Systems

M

M

M

 

REQUESTING EXEMPTIONS

In the event the standard cannot be achieved by reasonable means, you can request an exemption by completing the Information Security Standard Exemption Request form. Be ready to provide details as to why the standard cannot be followed, the duration of the exemption request and mitigating controls being put in place to meet the requirement.

REPORTING INAPPROPRIATE USE OF ACCESS

Any user who suspects a violation of the policy should report the suspected violation to University Audit using the EthicsPoint System.  EthicsPoint is available here.

Violations of this standard could include failing to register the system with the vulnerability scanning service, not allowing root or administrator access to system from the vulnerability scanning service, or misuse of any of the information in the vulnerability scanning service.

 

Implementation Guidelines

Guidelines related to the implementation of this standard can be found on the Information Security Office website.

 

Additional Information

If you have any questions or comments related to this Standard, please send an email to the University Information Security Office at infosec@uoregon.edu.

Additional information can also be found using the following resources:

·      University Information Security Program Policy

https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-security-program

·      University Acceptable Use Policy

https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30997

https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=30999

·      University Information Asset Classification & Management Policy

https://policies.uoregon.edu/vol-4-finance-administration-infrastructure/ch-6-information-technology/information-asset

·      Data Security Classification Table

https://infosec.uoregon.edu/data-security-classification-table

·      Vulnerability Scanning Service Overview (must be logged into TDX to view):

https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=120397

·      Vulnerability Scanning FAQ (Frequently Asked Questions) (must be logged into TDX to view):

https://service.uoregon.edu/TDClient/2030/Portal/KB/ArticleDet?ID=120800

 

Revision History

Version

Published

Author

Description

1.0

08/09/2022

Information Security Office (ISO)

Original publication

 

Status:

Published

Published:

08/09/2022

Last Reviewed:

08/09/2022

Last Updated:

08/09/2022

 

Approval Block:

 

Date

Discussed

Date

Approved

Information Security and Privacy – Governance sub-Committee (ISP-GC)

09/21/2022

 

Chief Information Security Officer: