APPROVED: Vulnerability Scanning Requirement Exception Request (EXCEPT0000229)
This exception rescinds the quarterly vulnerability scanning requirement for another six months while Information Security works to provide a process or solution to provide this service as required in the standard.
The original exception request (EXCEPT0000202) was approved December 8, 2020 and remained valid until the date June 6, 2021.
The new exception request (EXCEPT0000229) was approved May 14, 2021 and remains valid until the November 10, 2021.
It was reviewed by UVA Information Security and approved by the appropriate parties described at http://security.virginia.edu/exceptions as a High Risk exception.
Please remember that this exception request is approved with the following controls implemented concurrently with the permitted exception.
Policy: Information Security of University Technology Resources (IRM-004)
Standards: Security of Network-Connected Devices standard and the University Data Protection Standard (UDPS)
Recommended Duration: 6 Months
Risk Level: High
Affected Systems and Data: This standard requires all managed devices connecting to the UVA network to be scanned.
The new Security of Network Connected Devices standard has a requirement to execute vulnerability scans for network connected managed devices. ITS currently does not offer a process or solution to provide this service as required in the standard. Therefore, this exception provides six months for the solution to be provided and enacted by users as required.
Compensating Controls: Approval granted with the following controls -
InfoSec Engineering has identified a way to provide vulnerabilty scanning capabilities via Tenable.io using the Tenable console in advance of a successful ServiceNow integration. This exception is intended to cover the period of the vulnerability scanning requirement becoming active in the Security of Network-Connected Devices standard until the time at which the governance is in place for distributing access to Tenable.io. While it is possible to scan servers on an as-needed basis, there is no alternative on offer for workstations.
You can make a request for access to the Tenable.io console in Servicenow Service Request Catalog > Security > Tenable.IO Administrative Console Access
InfoSec can offer scanning to departments on an as needed basis via requests made by emailing: email@example.com.
If these controls cannot be met, please email it- firstname.lastname@example.org immediately. Please note that InfoSec may terminate this exception at any time.