RA-5: Vulnerability Monitoring and Scanning
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 07/31/2024
- The Tarleton State University (Tarleton) Chief Information Security Officer (CISO) or their designee, such as the Tarleton Office of Innovative Technology Solutions (OITS) – Security Team/Cybersecurity Operations Center, will ensure that all Tarleton information resources are monitored and scanned for security vulnerabilities periodically, or when significant new vulnerabilities potentially affecting the university are identified.
- Vulnerability scans are conducted at least annually or when significant new vulnerabilities potentially affecting the university are identified and/or reported in accordance with Texas Government Code §2058.077.
- Vulnerability monitoring tools should be implemented to identify systems connected to the network, software flaws, and improper configurations and to measure the impact of vulnerabilities.
- Information resource owners and custodians should be notified of vulnerabilities that are found if the information resource owners or custodians are not within/managed by OITS. Custodians are responsible for ensuring that identified risks are fixed or mitigated in a timely manner.
- All legitimate vulnerabilities, whether high, medium, or low, are remediated within 30 days unless the severity of the vulnerability requires remediation sooner than 30 days per guidance from the Tarleton CISO.
- Vulnerability and network scanning may only be conducted by the Tarleton CISO, OITS – Security Team/Cybersecurity Operations Center, or an entity authorized by the CISO or their designee.