2.03 Vulnerability Scanning

I. Purpose

The purpose of the Vulnerability Scanning security policy is to minimize the risk that Bradley University's resources are compromised from an attack. Decreasing the time that a resource is vulnerable minimizes the risk of compromise.

II. Description

All hosts (servers, computers, and network devices) that are listening on or have open IP ports accessible from the Internet must be scanned for vulnerabilities monthly.

If any vulnerabilities known by the scanner at the time of scan are found, the host's administrator will be responsible for remediating the vulnerabilities on their host(s). Critical vulnerabilities must be remediated within 15 calendar days of initial detection. High vulnerabilities must be remediated within 30 calendar days of initial detection. If the vulnerabilities are not remediated within the specified timeframe, either an exception at the Vice Presidential level must be approved, or the host will be blocked from the Internet

Before any request for a firewall security policy is configured, the internal host must be scanned, vulnerabilities remediated, and added to the list of hosts that are scanned automatically.

III. Scope

This policy pertains to all hosts (servers, computers, and network devices) that are listening on or have open IP ports accessible from the Internet.