POLICY TITLE: Computer Vulnerability Scanning
POLICY #: IT- 01
APPROVED DATE: 3/20/2002
REVISION DATE: 3/20/2002
BRIEF DESCRIPTION: Network scans of campus machines are run for the purpose of security and vulnerabilities assessing.
Introduction | Scope | Policy Statement | Procedures | Related Policies | IT Policy Index
Good system security must be developed in conjunction with regular feedback on its effectiveness. One form of feedback can be produced using network-based security scanning tools. Regular scanning of computers attached to the network, to look for security vulnerabilities, is a best practice for managing a dynamic computing environment.
Any equipment attached to the University of Iowa’s network is subject to security vulnerability scans. In today’s changing environment, vulnerable and/or unprotected systems can easily be overlooked. Systems that are not properly managed can become a potential threat to the health and well-being of our systems and networks.
Proactive security scanning allows for a meaningful assessment of system security against known risks, provides a roadmap of effective countermeasures for improving security, and also provides a simple quantification of assets. Proactive scanning can also lead to faster detection of, and perhaps fewer damages to, breached systems.
Reactive security scanning allows for threat quantification and assessment, accelerated damage control, and an assessment of systems against reasonable control measures during the repair/rebuild process.
The policy provides for multiple levels of scanning services.
- Domain – Low-level scans for basic service-tracking purposes will be conducted on all networks in the University uiowa.edu domain. In addition, specialized scans to target specific problems posing a threat to the University’s systems and networks, or to correlate interrelated network-based vulnerabilities will be conducted on an ad-hoc basis. (Examples: scanning for systems vulnerable to the Code Red Worm, scanning for mail servers configured as an open relay.)
- Group – Groups of systems or departments identified as critical and/or a particular risk to the smooth functioning of the University will be subject to frequent, in-depth security scans. Any department can join the group policy upon request. (Examples: Information Technology Services, University Health Care Information Systems, and Residence Halls Networks.)
- Individual – Before a new system is put into service, it is recommended that a network security scan be conducted for the purposes of identifying known vulnerabilities. Scans may be requested by system administrators at any time, as frequently as necessary to maintain confidence in the security protections being employed. Any system identified in conjunction with a security incident, as well as any system undergoing a financial audit may be subject to a network security scan.
Notification for domain-level scans to target specific problems will be made to department Network and Security Contacts (NSC’s) via the “nsc-all” mailing list, and to members of the “uiowa-security” mailing list. Care will be taken to provide a reasonable amount of prior notice for these domain scans. Domain-level service tracking scans will not be advertised.
Group-level scan schedules will be negotiated with the applicable groups.
Individual scans will be upon request, and scheduled, unless they are conducted on an emergency (incident-related) basis.
Network scans will be conducted by authorized scan machines: itsecurity1.its.uiowa.edu, itsecurity2.its.uiowa.edu, …itsecurityn.its.uiowa.edu in order to be easily recognizable as benign activity in system log files.
Executive reports will be generated for scheduled domain scans. Reports from group scans will be provided to management. Individual scans will be made available to the applicable department NSC and/or system administrator as requested.
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)