{"id":1769,"date":"2024-08-06T18:01:40","date_gmt":"2024-08-06T18:01:40","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1769"},"modified":"2024-09-05T00:59:49","modified_gmt":"2024-09-05T00:59:49","slug":"ra-5-vulnerability-monitoring-and-scanning","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/risk-assessment-ra\/ra-5-vulnerability-monitoring-and-scanning\/","title":{"rendered":"RA-5: Vulnerability Monitoring and Scanning"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">RA-5: Vulnerability Monitoring and Scanning<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: <\/strong>Low&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> &nbsp;07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: \u00a0<\/strong>07\/31\/2024\u00a0<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>The Tarleton State University (Tarleton) Chief Information Security Officer (CISO) or their designee, such as the Tarleton Office of Innovative Technology Solutions (OITS) \u2013 Security Team\/Cybersecurity Operations Center, will ensure that all Tarleton information resources are monitored and scanned for security vulnerabilities periodically, or when significant new vulnerabilities potentially affecting the university are identified. &nbsp;\n<ul class=\"wp-block-list\">\n<li>Vulnerability scans are conducted at least annually or when significant new vulnerabilities potentially affecting the university are identified and\/or reported in accordance with <a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#:~:text=Sec.%202054.077.%20%20VULNERABILITY%20REPORTS.\" target=\"_blank\" rel=\"noreferrer noopener\">Texas Government Code \u00a72058.077<\/a>.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Vulnerability monitoring tools should be implemented to identify systems connected to the network, software flaws, and improper configurations and to measure the impact of vulnerabilities. &nbsp;<\/li>\n\n\n\n<li>Information resource owners and custodians should be notified of vulnerabilities that are found if the information resource owners or custodians are not within\/managed by OITS. Custodians are responsible for ensuring that identified risks are fixed or mitigated in a timely manner. &nbsp;\n<ul class=\"wp-block-list\">\n<li>All legitimate vulnerabilities, whether high, medium, or low, are remediated within 30 days unless the severity of the vulnerability requires remediation sooner than 30 days per guidance from the Tarleton CISO. &nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Vulnerability and network scanning may only be conducted by the Tarleton CISO, OITS \u2013 Security Team\/Cybersecurity Operations Center, or an entity authorized by the CISO or their designee.&nbsp;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/www.iso.org\/standard\/72311.html\" target=\"_blank\" rel=\"noreferrer noopener\">ISO 29147<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-40r3\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-40<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-53Ar4\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-53A<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-70r4\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-70<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-115\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-115<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.SP.800-126r3\" target=\"_blank\" rel=\"noreferrer noopener\">SP 800-126<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.7788\" target=\"_blank\" rel=\"noreferrer noopener\">IR 7788<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.8011-4\" target=\"_blank\" rel=\"noreferrer noopener\">IR 8011-4<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/doi.org\/10.6028\/NIST.IR.8023\" target=\"_blank\" rel=\"noreferrer noopener\">IR 8023<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#2054.077\" target=\"_blank\" rel=\"noreferrer noopener\">Tex Gov\u2019t Code Sec. 2054.077<\/a>&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/statutes.capitol.texas.gov\/Docs\/GV\/htm\/GV.2054.htm#:~:text=Sec.%202054.077.%20%20VULNERABILITY%20REPORTS.\" target=\"_blank\" rel=\"noreferrer noopener\">Tex Gov\u2019t Code Sec. 2058.077<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>RA-5: Vulnerability Monitoring and Scanning NIST Baseline: Low&nbsp; DIR Required By: &nbsp;07\/20\/2023&nbsp; Review Date: \u00a007\/31\/2024\u00a0 References\/Additional Resources ISO 29147&nbsp; SP 800-40&nbsp; SP 800-53A&nbsp; SP 800-70&nbsp; SP 800-115&nbsp; SP 800-126&nbsp; IR &#8230;<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":1510,"menu_order":5,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1769","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 2 years ago"},"absolute_dates":{"created":"Posted on August 6, 2024","modified":"Updated on September 5, 2024"},"absolute_dates_time":{"created":"Posted on August 6, 2024 6:01 pm","modified":"Updated on September 5, 2024 12:59 am"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1769","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1769"}],"version-history":[{"count":0,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1769\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1510"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1769"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}