Search This Site

 

Main menu

Vulnerability Scanning Exception (EXCEPT0000250)

APPROVED: Vulnerability Scanning Requirement Exception Request (EXCEPT0000250)

This exception rescinds the quarterly vulnerability scanning requirement for another six months while Information Security works to provide a process or solution to provide this service as required in the standard.

The original exception request (EXCEPT0000202) was approved December 8, 2020 and remained valid until June 6, 2021.  

The exception request before this one (EXCEPT0000229) was approved May 14, 2021 and remained valid until November 10, 2021.  

The new exception request (EXCEPT0000250) was approved October 12, 2021 and remains valid until the April 10, 2022.  

It was reviewed by UVA Information Security and approved by the appropriate parties described at http://security.virginia.edu/exceptions as a High Risk exception.   
Please remember that this exception request is approved with the following controls implemented concurrently with the permitted exception.

Policy: Information Security of University Technology Resources (IRM-004)
Standards: Security of Network-Connected Devices standard and the University Data Protection Standard (UDPS)
Recommended Duration: 6 Months
Risk Level: High

Affected Systems and Data: This standard requires all managed devices connecting to the UVA network to be scanned.

Request:

The new Security of Network Connected Devices standard has a requirement to execute vulnerability scans for network connected managed devices. ITS currently does not offer a process or solution to provide this service as required in the standard. Therefore, this exception provides six months for the solution to be provided and enacted by users as required.

Compensating Controls: Approval granted with the following controls -

A new vulnerability project has been initiated to replace Tenable. This solution will provide the ability to scan and remediate vulnerabilities as per the policy.  InfoSec is working on testing a new vendor, Qualys, but still needs this exception coverage until such time as the project is successful and can be rolled out.

InfoSec can offer scanning to departments on an as needed basis via requests made by emailing:  it-security@virginia.edu

If these controls cannot be met, please email it- policy@virginia.edu immediately. Please note that InfoSec may terminate this exception at any time.

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.

Complete Report Form