REQUEST HELP
How to Find Us

Contact ITS

Exley Science Center
ITS Service Desk / Help Desk - 1st Floor Lobby
265 Church Street
Middletown, CT 06459

Main: 860-685-4000

Hours: Monday - Friday
8:30am - 5:00pm

After hours high impact / high urgency IT support

Vulnerability Management Policy 

 

Purpose 

This Vulnerability Management Policy outlines the process for scanning Information Technology Resources (ITRs), as defined in the Appendix, for vulnerabilities across the university network and the timelines for remediating any vulnerabilities. 

 

Scope 

This policy applies to all university-provided ITRs operating on the university network. 

 

Policy 

Subnets exempted from vulnerability scanning 

Subnets intended for student devices and guest access will not be scanned for vulnerabilities.  The VLAN identifiers for the exempted subnets are listed in the Appendix. 

Vulnerability scanning of cloud hosted ITRs 

Most cloud vendors restrict vulnerability scanning of their environments.  Because of this cloud hosted ITRs will only be scanned with written approval from the cloud vendor hosting the ITRs.  

Frequency of vulnerability scanning 

Vulnerability scanning will be run monthly. 

Authenticated versus unauthenticated vulnerability scanning 

When possible, ITRs will be configured to use the vulnerability scanning credentials to allow for authenticated scans.  Authenticated scans produce significantly fewer false positives. 

Reporting of vulnerability scan results 

All results from vulnerability scans with a result of “high” or “critical” will be sent to the appropriate administrator within 7 days of the scan completing. 

Resolving vulnerability scan results 

Any administrator who receives vulnerability scan results has 30 days to resolve the identified issues.  Scan results can be resolved through one of these three mechanisms: 

  1. Correcting the issue. 
  1. Identifying this as a false positive and providing screenshots showing why it is a false positive. 
  1. Identifying compensating controls that protect the ITR from this vulnerability.  Compensating controls require written approval from the Chief Information Security Officer and must be renewed annually. 

If there are extenuating circumstances, such as running jobs that would be interrupted by correcting the issue, the administrator will work with the Chief Information Security Officer to identify when the results will be corrected. 

Exceptions 

All exceptions to this policy require written approval from the Chief Information Security Officer.  All exceptions require annual renewal. 

 

Appendix 

 

VLAN identifiers of subnets exempted from vulnerability scanning 

72, 128, 160, 161, 162, 275, 290, 291, 293, 294, 295 

Definitions and Terms 

Information Technology Resources (ITRs) – This includes, but is not limited to, end-user computing devices, services, networks, email, software, printers, scanners, video distribution systems, telephone systems, fax systems, and other computer hardware and software, whether owned by the university or contracted by the university from a third party. 

 

Revision History 

August 2024 – Policy adopted