What are my responsibilities?

After contacting University IT Security and providing the necessary information to configure the scans and access the console, your responsibilities are to use the data to help secure your systems and networks. Best practices are to remediate “Critical” vulnerabilities within 30 days.

How are hosts identified?

Hosts are identified with the use of ICMP pings, TCP and UDP requests to common ports. The process is based on network connectivity and does not involve any other identification mechanisms.

Do the scans reach private IP space?

Vulnerability scans include both public and private IP space that is routable within the University.

When / How often will scans run?

Scans are typically run once a month, but more frequent scans are possible for critical systems. The timing of the scans can be configured to accommodate the needs of the department (e.g., time of day, day of month, etc.)

How is the scan data used?

The scan data is used to assess the risk to the University from both internal and external perspectives. The data also helps drive remediation efforts by prioritizing the highest risk systems over systems with less risk.

Who can see my scan results?

Scan data for each department is exposed only to delegated individuals within that department and the University IT Security team.

How intrusive are the scans?

While the scanners have the ability to be very aggressive, University IT only runs scans that have been significantly throttled to avoid disruptions. Vulnerability scanning has not affected the performance of networks or hosts.