Search This Site


Main menu

Vulnerability Scanning Exception (EXCEPT0000229)

APPROVED: Vulnerability Scanning Requirement Exception Request (EXCEPT0000229)

This exception rescinds the quarterly vulnerability scanning requirement for another six months while Information Security works to provide a process or solution to provide this service as required in the standard.

The original exception request (EXCEPT0000202) was approved December 8, 2020 and remained valid until the date June 6, 2021.  

The new exception request (EXCEPT0000229) was approved May 14, 2021 and remains valid until the November 10, 2021.  

It was reviewed by UVA Information Security and approved by the appropriate parties described at as a High Risk exception.   
Please remember that this exception request is approved with the following controls implemented concurrently with the permitted exception.

Policy: Information Security of University Technology Resources (IRM-004)
Standards: Security of Network-Connected Devices standard and the University Data Protection Standard (UDPS)
Recommended Duration: 6 Months
Risk Level: High

Affected Systems and Data: This standard requires all managed devices connecting to the UVA network to be scanned.


The new Security of Network Connected Devices standard has a requirement to execute vulnerability scans for network connected managed devices. ITS currently does not offer a process or solution to provide this service as required in the standard. Therefore, this exception provides six months for the solution to be provided and enacted by users as required.

Compensating Controls: Approval granted with the following controls -

InfoSec Engineering has identified a way to provide vulnerabilty scanning capabilities via using the Tenable console in advance of a successful ServiceNow integration. This exception is intended to cover the period of the vulnerability scanning requirement becoming active in the Security of Network-Connected Devices standard until the time at which the governance is in place for distributing access to While it is possible to scan servers on an as-needed basis, there is no alternative on offer for workstations.

You can make a request for access to the console in Servicenow Service Request Catalog > Security > Tenable.IO Administrative Console Access

InfoSec can offer scanning to departments on an as needed basis via requests made by emailing:

If these controls cannot be met, please email it- immediately. Please note that InfoSec may terminate this exception at any time.


Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form