Description

This Control addresses how the university monitors and scans for security vulnerabilities in information resources to prevent inappropriate or unauthorized access to information systems.

Applicability

  • A Unit head, or designee, will ensure that all information resources that connect to the University’s network undergo periodic security vulnerability assessments conducted centrally by the University's Technology Services

Implementation

  • 1

    A vulnerability assessment may include assessment(s) of any of the following information resources:

    • 1.1

      Network(s)

    • 1.2

      Operating system(s)

    • 1.3

      Application(s)

  • 2

    The Technology Services security team is authorized to conduct security vulnerability and network scanning of devices attached to the University network on a periodic basis, or when significant new vulnerabilities potentially affecting the system are identified and reported. Information gathered from such scans will be used for assessing and managing security, which includes:

    • 2.1

      Notifying owners/custodians of vulnerabilities,

    • 2.2

      Identifying incorrectly configured systems,

    • 2.3

      Assessing vulnerability impact and overall risk to the University,

    • 2.4

      Taking necessary actions to reduce risk to the University,

    • 2.5

      Responding to cybersecurity incidents,

    • 2.6

      Validating firewall access requests, and

    • 2.7

      Gathering network census data.

  • 3

    Coordinating with Texas A&M System to establish a public reporting channel for receiving reports of vulnerabilities in university systems and system components.

  • 4

    Custodians of information resources found to be vulnerable will be contacted concerning any identified risk. The custodian is responsible for ensuring that the identified risk is remediated in a timely manner.

  • 5

    If identified vulnerabilities are not remediated, the affected information resource(s) may be isolated or disconnected from the campus network by the Division of Information Technology security team.

    • 5.1

      Information resources having security vulnerabilities with a CVSS score greater than 6.9 ("High or "Critical" severity):

      • 5.1.1

        Must be remediated within seven days of notification to maintain open ports through the campus firewall; and

      • 5.1.2

        Must be remediated within 30 days of notification to maintain access to the campus network.

    • 5.2

      Information resources having security vulnerabilities with a CVSS score less than 7.0 ("Medium" or "Low" severity):

      • 5.2.1

        Must be remediated within 30 days of notification to maintain open ports through the campus firewall; and

      • 5.2.2

        Must be remediated within 60 days of notification to maintain access to the campus network.

  • 6

    Vulnerability and network scanning of devices attached to the university's network may only be conducted by the Division of Information Technology or a person authorized by the CISO or designee. Scanning conducted by entities other than the Technology Services security team may not transit a router maintained by Technology Services without permission from the CISO or designee.

  • 7

    Vulnerability and network scanning may not be conducted by students, including student systems in Residence Halls. There is no coursework or extracurricular activity that is exempt from this prohibition.