APPROVED: Vulnerability Scanning Requirement Exception Request (EXCEPT0000202)
This exception rescinds the quarterly vulnerability scanning requirement for six months while Information Security works to provide a process or solution to provide this service as required in the standard.
As of December 8, 2020, this exception request (EXCEPT0000202) has been reviewed by UVA Information Security and approved by the appropriate parties described at http://security.virginia.edu/exceptions for Medium Risk exception requests. The approval for EXCEPT0000202 will remain valid until the date June 6, 2021.
Please remember that this exception request is approved with the following controls implemented concurrently with the permitted exception.
Policy: Information Security of University Technology Resources (IRM-004)
Standards: Security of Network-Connected Devices standard and the University Data Protection Standard (UDPS)
Recommended Duration: 6 Months
Risk Level: Medium
Affected Systems and Data: This standard requires all managed devices connecting to the UVA network to be scanned.
Request:
The new Security of Network Connected Devices standard has a requirement to execute vulnerability scans for network connected managed devices. ITS currently does not offer a process or solution to provide this service as required in the standard. Therefore, this exception provides six months for the solution to be provided and enacted by users as required.
Compensating Controls: Approval granted with the following controls -
InfoSec Engineering has identified a way to provide vulnerabilty scanning capabilities via Tenable.io using the Tenable console in advance of a successful ServiceNow integration. This exception is intended to cover the period of the vulnerability scanning requirement becoming active in the Security of Network-Connected Devices standard until the time at which the governance is in place for distributing access to Tenable.io.
You can make a request for access to the Tenable.io console in Servicenow Service Request Catalog > Security > Tenable.IO Administrative Console Access
InfoSec can offer scanning to departments on an as needed basis via requests made by emailing: [email protected].
If these controls cannot be met please email it- [email protected] immediately. Please note that InfoSec may terminate this exception at any time.