Information Security Standards

VULNERABILITY ASSESSMENT

GENERAL

The purpose of this procedure is to mitigate the risks that vulnerabilities to Texas A&M University-Commerce information resource systems may pose. This procedure seeks to ensure that vulnerabilities are adequately addressed and minimized. Additionally, all operating systems for all information resource systems must undergo a regular vulnerability assessment as required by Texas Administrative Code, Title 1, Section 202.75 (TAC).

APPLICABILITY

All owners of an information resource are responsible for ensuring that their information resources are adequately protected. The Information Security Officer and the Infrastructure team will conduct vulnerability assessments on a periodic basis.

PROCEDURES

1. A vulnerability assessment may include assessment(s) of any of the following information resources:

• network(s)

• operating system(s)

• application(s)

2. A vulnerability assessment will be conducted by the ISO at least biennially (every two years) based on a risk analysis developed by the CIO or ISO and at other times as needed by current threats.

3. The ISO and Infrastructure team are authorized to conduct network scanning of devices attached to the University network. Information gathered from such scans will be used for network management which includes:

• notifying owners of vulnerabilities,

• determining incorrectly configured systems,

• validating firewall access requests, and

• gathering network census data.

4. Owners and custodians of information resources found to be vulnerable in any way will be contacted concerning any identified risk(s). The custodian is responsible for ensuring that the identified risk(s) is mitigated in a timely manner.

5. If known vulnerabilities are not resolved, access for the affected information resource(s) may be disabled from the network by the Infrastructure team.

6. Network scanning may only be conducted by the ISO or Infrastructure team. Network scanning conducted by entities other than Information Technology must be approved by the CIO or ISO.

7. Network scanning may not be conducted by student systems in the Residence Halls.

HISTORY

Last Updated March 31, 2014