Policy Number: 
IT-01
Description: 
Network scans of campus systems and devices are conducted for the purpose of general security and vulnerability assessment. The policy grants authorization to appropriate members of the Information Security and Policy Office and Health Care Information Systems' IT Security Office to coordinate and conduct Vulnerability Assessments and Penetration Testing against organizational assets.

Network Vulnerability Scanning and Penetration Testing

Good security practices must be developed in conjunction with regular feedback on their effectiveness. One form of feedback can be produced using network-based security scanning tools. Regular scanning of devices attached to the network, to assess potential security vulnerabilities, is a best practice for managing a dynamic computing environment. For critical enterprise systems or those dealing with sensitive data, additional testing methods to look deeper for more security vulnerabilities may be a requirement for compliance with laws, regulations, and/or policies. One of these methods is Penetration Testing, which is targeted at systems by IT security experts, and is typically performed at the request of business owners.

Scope

All devices attached to the University of Iowa’s network are subject to security vulnerability scanning and/or penetration testing.  In today’s changing environment, vulnerable and/or unprotected systems can easily be overlooked.  Systems that are not properly managed can become a potential threat to the operational integrity of our systems and networks.  Vulnerability scanning can be proactive, or reactive: 
 

Proactive security scanning allows for a meaningful assessment of system security against known risks, provides a roadmap of effective countermeasures for improving security, and also provides a simple quantification of assets. 
Reactive security scanning allows for threat quantification and assessment, accelerated damage control, and an assessment of systems against reasonable control measures during the repair/rebuild process.

Any critical enterprise systems of the University are subject to periodic vulnerability assessments.  Any system dealing with information governed by laws, regulations, and/or policies that require penetration testing are also covered. Other systems dealing with sensitive data may be submitted for penetration testing at the request of the business owner, or at the recommendation of the University Information Security and Policy Office.

Penetration testing is a separate and distinctly different set of testing activities. Its primary focus is the exploitation (not just observation or assessment) of security vulnerabilities and therefore may be disruptive of operations (some exploits may cause operating systems or applications to “crash”). Penetration testing is most beneficial when executed after an Assessment has been performed and the issues found by that Assessment have been remediated.

Policy Statement

Multiple levels and types of network security scanning are utilized by the University of Iowa, and are managed as services offered by the Information Security and Policy Office: 

  1. Focused Scan-- Low-level scans for basic service-tracking purposes will be conducted on all networks in the University uiowa.edu domain.  In addition, specialized scans to target specific problems posing a threat to the University’s systems and networks or to correlate interrelated network-based vulnerabilities will be conducted on an ad-hoc basis. Focused scans are not typically advertised.
  2. Recurring Group Scan – Groups of systems or departments identified as critical to the University, or that might subject the University to heightened risk will be subject to frequent, in-depth security scans. Any department can join the recurring group scan service upon request.  Scan schedules are arranged with the system owner.
  3. Ad Hoc Scan – Before a new system is put into service, it is recommended that a network security scan be conducted for the purposes of identifying potential vulnerabilities.   Scans may be requested by system administrators at any time, as frequently as necessary to maintain confidence in the security protections being employed.  Any system identified in conjunction with a security incident, as well as any system undergoing an audit may be subject to a network security scan.
  4. Penetration Test - All penetration testing of University systems must be arranged by senior management/departmental business owner(s) and coordinated through the Information Security & Policy Office. Penetration testing is typically conducted over a period of several weeks, with regular feedback to the business owner(s) if issues are identified.
  • Due to the more intrusive nature of a penetration test, and to better manage risks associated with such tests, a signed non-disclosure agreement and confidentiality agreement is required prior to commencing the penetration test. (see Related Policies, References and Attachments below for more details.)
  • Penetration testing may be performed by any qualified service provider approved by the ISPO.
  • High risk issues must be remediated in a timely manner, or units can work with the Information Security & Policy Office toward implementing compensating controls to reduce risks highlighted in the report(s).

Network scans will be conducted by authorized scanning systems: itsecurity1.its.uiowa.edu, itsecurity2.its.uiowa.edu, …itsecurityn.its.uiowa.edu in order to be easily recognizable as benign activity in system log files. 
 

Related Policies, References and Attachments:

This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy. 

They are incorporated into the University of Operations Manual by reference, per the Policy on Acceptable Use of Information Technology Resources
 

Institutional Data Access Policy
Information Security Framework Policy
PDF iconpenetrationtestingagreement.pdf