Vulnerability Assessment Policy
SCOPE
This policy covers all of Loyola University Chicago’s computing, networking, telephony and information resources.
PURPOSE
The purpose of this policy is to grant authorization to appropriate members of the Information Security Team to conduct audits, consisting of vulnerability assessments and penetration tests, against the University’s computing, networking, telephony and information resources..
Audits may be conducted to:
- Investigate possible security incidents
- Ensure conformance to the University’s ITS policies and corresponding regulations (FERPA, PCI/DSS, HIPAA, GLBA, etc.)
- Confirm the security of information systems
- Ensure that information is only accessible by the individuals who should be able to access it
- Ensure that system resources are available to support the mission of the University
- Ensure that information is protected from modification by unauthorized individuals
POLICY
For the purpose of performing an audit, consent to access identified systems will be provided to members of the Information Security Team through the ITS Vulnerability Assessment Authorization Form. Via completion of the form the University hereby provides its consent to allow members of the Information Security Team to access its computing, networking, telephony and information resource devices to the extent necessary to perform the scans authorized in this policy.
This access may include:
-
User level and/or system level access to any University computing, networking, telephony or information resource
-
Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on the University’s equipment or premises
-
Access to work areas (labs, offices, cubicles, storage areas, etc.), through the assistance of Campus Safety
- Access to interactively monitor and log traffic on the University’s networks in accordance with ITS policies and regulatory requirements
The Information Security Team will communicate the details of the vulnerability assessment with the Department Head before scheduling and deploying any assessments.
Limited Vulnerability Scanning
In addition to vulnerability scanning and penetration testing supplied by the Information Security Team, the Information Security Team will provide University affiliates access to a vulnerability scanning portal, through the use of the ITS Vulnerability Assessment Authorization Form. This portal will allow authorized users to scan only their Department’s computer systems, on an as needed basis.
Service Degradation and/or Interruption
Network and server performance and/or availability may be affected by network scanning. The University releases the Information Security Team of any and all liability for damages that may arise from network and server availability restrictions caused by approved network scanning.
PCI Environment Scanning Requirements
As part of the University's PCI-DSS Compliance requirements, the Information Security Team will run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
Although the University utilizes access controls to prevent the deployment of rogue access points in the University's cardholder environment, The Network Services Team will use wireless scanners in the University’s cardholder environment on at least a quarterly basis to ensure that rogue wireless networks are not present.
EXCEPTIONS
Exceptions to this policy will be handled in accordance with the ITS Security Policy.
REVIEW
This policy will be maintained in accordance with the ITS Security Policy.
EMERGENCIES
In emergency cases, actions may be taken by the Incident Response Team in accordance with the procedures in the ITS Incident Response Handbook. These actions may include rendering systems inaccessible.
APPENDIX
Documents Referenced
ITS Incident Response Handbook
ITS Security Policy
ITS Vulnerability Assessment Authorization Form
HISTORY