APPROVED: Vulnerability Scanning Requirement Exception Request (EXCEPT0000250)
This exception rescinds the quarterly vulnerability scanning requirement for another six months while Information Security works to provide a process or solution to provide this service as required in the standard.
The original exception request (EXCEPT0000202) was approved December 8, 2020 and remained valid until June 6, 2021.
The exception request before this one (EXCEPT0000229) was approved May 14, 2021 and remained valid until November 10, 2021.
The new exception request (EXCEPT0000250) was approved October 12, 2021 and remains valid until the April 10, 2022.
It was reviewed by UVA Information Security and approved by the appropriate parties described at http://security.virginia.edu/exceptions as a High Risk exception.
Please remember that this exception request is approved with the following controls implemented concurrently with the permitted exception.
Policy: Information Security of University Technology Resources (IRM-004)
Standards: Security of Network-Connected Devices standard and the University Data Protection Standard (UDPS)
Recommended Duration: 6 Months
Risk Level: High
Affected Systems and Data: This standard requires all managed devices connecting to the UVA network to be scanned.
The new Security of Network Connected Devices standard has a requirement to execute vulnerability scans for network connected managed devices. ITS currently does not offer a process or solution to provide this service as required in the standard. Therefore, this exception provides six months for the solution to be provided and enacted by users as required.
Compensating Controls: Approval granted with the following controls -
A new vulnerability project has been initiated to replace Tenable. This solution will provide the ability to scan and remediate vulnerabilities as per the policy. InfoSec is working on testing a new vendor, Qualys, but still needs this exception coverage until such time as the project is successful and can be rolled out.
InfoSec can offer scanning to departments on an as needed basis via requests made by emailing: firstname.lastname@example.org.
If these controls cannot be met, please email it- email@example.com immediately. Please note that InfoSec may terminate this exception at any time.