Standard Operating Procedure

1. How does the scanning tool work?

The scanning tool actively probes for system vulnerabilities.  It performs a multi-level scan using an extensive database of known security holes to identify common system vulnerabilities. Many of the vulnerabilities are included in the CERT, CIAC and SANS advisories.

The scanning tool produces a detailed security report, often including detailed instructions on how to remediate or mitigate the identified vulnerability.

The tool assigns a vulnerability category and a severity level for each vulnerability detected.  Vulnerability categories are:

1. High Severity Problems
2. Medium Severity Problems
3. Low Severity Problems

The vulnerability classification helps to prioritize scan results.   A severity level indicates the security risk posed by exploitation of the vulnerability and its degree of difficulty.

1. Scheduled scans conducted by Information Security

Information Security may coordinate and conduct scheduled, non-credentialed monthly scans to reduce the vulnerability of University computers to attacks, denial of service and other security risks from both inside and outside the University. The vulnerability assessments will include selective probes of communication services, operating systems and applications to identify high-risk system weaknesses that could be exploited to gain unauthorized access to UTPA’s network and data.  Information gathered will be used for network management, including notifying departments and server administrators of vulnerabilities, determining incorrectly configured systems, validating firewall access requests and gathering network census data.

The scheduled scan process involves five possible steps:

1. Schedule/Notification – Registered servers are scheduled for monthly scans.
2. Scan- The scan tool performs vulnerability tests and produces a vulnerability report.
3. Evaluation of Scan Results - System administrators are notified if vulnerabilities identified as having High, Medium or Low severity impact. They are notified to (1) remediate the vulnerability, (2) mitigate the risk of the vulnerability, or (3) document why the vulnerability cannot be remediated or mitigated or does not pertain.  An example of a mitigating action is moving a vulnerable service port behind a host-based firewall.  This action simply protects the system against exposure of the vulnerability but does not remediate the vulnerability, as applying a patch would.  Corrective action must be taken as specified in the timelines below.
4. Report Distribution - All technical scan reports are sent to the system administrator. A copy of the scan report is filed in the Information Security office.
5. Re-scan (as necessary) - Re-scans are scheduled when a notification is received that previously identified vulnerabilities have been resolved.  A copy of the scan report is filed in the Information Security office.

Unscheduled scans conducted by Information Security

Information Security may conduct unscheduled scans to reduce the vulnerability of University computers to attacks, denial of service and other security risks from both inside and outside the University, or to investigate a security incident.

1. Timelines for corrective action/remediation for identified vulnerabilities

After a system administrator is notified by Information Security that a scan has identified vulnerabilities identified, corrective action must be taken within the following timelines.  The timelines are also recommended for vulnerabilities identified by system administrators.

1. Exception Handling

The System Administrator will document any high-risk or important vulnerabilities remaining un-remediated past the timelines established in section 4. If it is determined that corrective action cannot or should not be taken, an exception must be approved by the CISO in accordance with the Exceptions Procedure.