RA-5 Vulnerability Scanning

Description

Security categorization of information systems guides the frequency and comprehensiveness of vulnerability scans.

Organizations determine the required vulnerability scanning for all information system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked.

Vulnerability analyses for custom software applications may require additional approaches such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can employ these analysis approaches in a variety of tools (e.g., web-based application scanners, static analysis tools, binary analyzers) and in source code reviews.

Vulnerability scanning includes, for example:

  1. scanning for patch levels;
  2. scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and
  3. scanning for improperly configured or incorrectly operating information flow control mechanisms.

Organizations consider using tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that use the Open Vulnerability Assessment Language (OVAL) to determine/test for the presence of vulnerabilities.

Suggested sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). In addition, security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan. Organizations also consider using tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

Applicability

A Unit head, or designee, will ensure that all information resources that connect to the University’s network undergo periodic security vulnerability assessments conducted centrally by the University's Division of Information Technology.

Implementation

TAMU-CC Office of Information Security (OIS) scans for vulnerabilities in the information system at least annually or when significant new vulnerabilities potentially affecting the system are identified and reported:

  1. Scans for vulnerabilities in the information system and hosted applications servers monthly and workstations weekly and when new vulnerabilities potentially affecting the system/applications are identified and reported;
  2. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
    1. Enumerating platforms, software flaws, and improper configurations;
    2. Formatting checklists and test procedures; and
    3. Measuring vulnerability impact;
  3. Analyzes vulnerability scan reports and results from security control assessments;
  4. Remediates legitimate vulnerabilities in accordance with an organizational assessment of risk.
    1. For vulnerabilities with a Severity of Critical, High or Important: within 30 days either 1) remediate the vulnerability or 2) send a written exception request to OIS containing the IRIS keys of the relevant resources and a rationale for the exception and mitigating controls put in place.
    2. For all other vulnerabilities, decide whether and when to remediate based upon a risk assessment; and
  5. Shares information obtained from the vulnerability scanning process and security control assessments with Custodian to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events