Vulnerability Scans

Procedures

The auto-generated, monthly vulnerability reports will be reviewed and detected vulnerabilities will be addressed per the following procedure:

• If the reported vulnerability is a false hit or is of very low risk and highly impractical to resolve, the vulnerability will be accepted.
  • Acceptance involves
    1. approval by the area expert (ie. Windows, Mac, or Linux admin),
    2. approval of the Leader for College Information Security & Policy,
    3. Approval of the Leader for College IT Research, Infrastructure, and Support , and
    4. addition to IT Procedure: Qualys Scan Exceptions (Pending).
• If a high risk vulnerability is detected (Qualys Severity Risk 4 or 5) it will be addressed as follows:
  • A ServiceNow ticket will be immediately opened and assigned to the appropriate area team (windows, mac, linux, etc) and the security team. The ticket will be given a priority of high in footprints.
  • An entry will be added for the risk to IT Procedure: Qualys Scan Open Issues (Pending), noting the assignee and footprints ticket number.
  • The issue will be resolved within 2 business days unless coordinated with, and approved by, the Leader for College Information Security & Policy.
  • A rescan will be performed to verify the fix.
  • The footprints ticket will be closed, noting the action taken to resolve the issue.
  • The line item in IT Procedure: Qualys Scan Open Issues (Pending) will be removed.
• If a lower priority risk is detected (Qualys Severity Risk 1, 2, or 3) it will be addressed as follows:
  • An entry will be added for the risk to IT Procedure: Qualys Scan Open Issues (Pending), noting the assignee.
  • The issues will be resolved within 1 week unless coordinated with, and approved by, the Leader for College Information Security & Policy.
  • A rescan will be performed to verify the fix.
  • The line item in IT Procedure: Qualys Scan Open Issues (Pending) will be removed.