Vulnerability Scans

About this Policy

Policy Statement

Exceptions to Policy

Procedures

References

About this policy

Policy contact:

Mark Napier

Date of last update:

May 27, 2020

Procedures

The auto-generated, monthly vulnerability reports will be reviewed and detected vulnerabilities will be addressed per the following procedure:

  • If the reported vulnerability is a false hit or is of very low risk and highly impractical to resolve, the vulnerability will be accepted. Acceptance involves 1) approval by the area expert (ie. Windows, Mac, or Linux admin), 2) approval of the Luddy Chief Information Privacy and Security Officer, 3) Approval of the Luddy IT Director, and 4) addition to IT Procedure: Qualys Scan Exceptions.
  • If a high risk vulnerability is detected (Qualys Severity Risk 4 or 5) it will be addressed as follows:
    • A footprints ticket will be immediately opened and assigned to the appropriate area team (windows, mac, linux, etc) and the security team. The ticket will be given a priority of high in footprints.
    • An entry will be added for the risk to IT Procedure: Qualys Scan Open Issues, noting the assignee and footprints ticket number.
    • The issue will be resolved within 2 business days unless coordinated with, and approved by, the Luddy Chief Information Privacy and Security Officer.
    • A rescan will be performed to verify the fix.
    • The footprints ticket will be closed, noting the action taken to resolve the issue.
    • The line item in IT Procedure: Qualys Scan Open Issues will be removed.
  • If a lower priority risk is detected (Qualys Severity Risk 1, 2, or 3) it will be addressed as follows: