ISO Position Paper

Position Title: Emergency Vulnerability Scanning

Position Audience: Princeton IT Professionals

Contact: Information Security Office: [email protected] 

Position Release Date: August 10, 2017

Problem Statement

From time to time, the University receives critical and time-sensitive security alerts from various
trusted sources that require the ISO to immediately assess campus exposure to the risk of data
loss.

ISO Position

The ISO will review published emergency vulnerability announcements. When it is determined
that a published vulnerability presents an immediate risk to University information categorized
as Restricted or Confidential¹, the ISO will scan the University’s network to determine which
systems may be susceptible to the identified vulnerability. These scans will be performed using
University approved tools.

Appropriate channels will be used to alert the University technical community prior to the scans
taking place. Once the scans have finished, notification will be sent to appropriate technical
contacts if their systems are found to be vulnerable. This position paper is meant to work in
conjunction with the ISO Emergency Vulnerability Patching Position Paper to ensure that
vulnerabilities are remediated as soon as possible proportionate to the information risk imposed
by the vulnerability.

¹Information Security Policy

Data Classification: Public