Skip to main contentReport an accessibility problemASU HomeMy ASUColleges and Schools
Sign In
Arizona State UniversityArizona State University
Get Protected
  • Home
  • Services
    • Overview
    • Vendor IT Risk Assessments
    • Vulnerability Management
    • CMDB for Web Applications
    • Incident Response
    • IT Risk Assessment
    • Phishing Response
  • Compliance & Regulations
    • Overview
    • CMMC
  • Training
    • ASU Information Security Training
    • ASU and FERPA
    • ASU and HIPAA
    • Cybersecurity Awareness Month
  • Policy & Practices
    • Overview
    • Effective Practices
    • Identity Theft Protection
    • Physical Security
    • Policies & Standards
    • Security Tips

      Data

    • Device & Data Encryption
    • Data Storage
    • Logging Best Practices
    • Data Classification Tool

      Remote

    • Telecommuting, Mobile and Travel Safety
  • Communities
    • Privacy Champions
    • External Groups
    • Student Technology Advisory Board
    • ET Community of Practice
  • About Us
  • Contact Us
People working on computer

Vulnerability Management

Overview Network Scanning Web App Scanning
Previous Next

ASU’s Vulnerability Management Program

A strong Vulnerability Management Program is crucial for ASU to identify, assess, and mitigate security weaknesses that could threaten university systems and data. By proactively managing vulnerabilities, ASU reduces the risk of unauthorized access, data breaches, and service disruptions. This approach fortifies ASU’s overall security posture and ensures compliance with relevant standards and regulations.

Tracking and Prioritizing Vulnerabilities

All detected vulnerabilities are documented and prioritized within ASU’s current vulnerability platform (Qualys). This organized process enables the university to concentrate on the most critical threats first, ensuring that high-risk security issues are resolved in a timely manner.

Responsibility for Remediation

It is the WG-DT Lead, Business Unit Owners, or a delegated unit or Unit representative who hold the primary responsibility for coordinating and supervising remediation efforts. This clear assignment of accountability helps maintain consistency and efficiency in addressing vulnerabilities across ASU’s various systems and services.

Remediation for New or Significantly Updated Systems
  • New Websites and Systems: Before any new website or system is deployed to production at ASU, critical and high-severity vulnerabilities must be remediated to minimize the likelihood of exploitation.
  • Significant Changes to Existing Websites and Systems: Major updates or modifications to existing systems should be evaluated for new vulnerabilities, with critical and high-severity issues addressed prior to rolling out changes.
Reference for Remediation Timeframes

For explicit guidelines on the required remediation timelines based on vulnerability severity, please consult the Vulnerability Management Security Standard. This standard is currently being rewritten but will outline ASU’s remediation expectations and deadlines to ensure a secure and compliant technology environment.

The Vulnerability Management Team is always available to assist with any questions or concerns. 

Contact Us

The IT Vulnerabilities team offers open office hours on the 1st and 3rd Thursday of each month from 1:30pm to 3:30pm.

For additional support or questions please submit a ServiceNow ticket request. This includes requests to be added to the IT Community Risk slack channel.

Network Scanning: How and Why We Scan

What is Network Scanning?
Network scanning is a proactive and systematic process of identifying and assessing devices, systems, and applications connected to ASU’s technology network. This critical component of our vulnerability management program helps ensure the security and integrity of ASU’s digital environment by identifying potential risks and addressing them promptly.

The process involves reviewing network-connected devices to detect vulnerabilities, misconfigurations, and other weaknesses that could expose ASU’s infrastructure to cyber threats. Network scanning identifies risks such as unsecured network services, outdated operating systems, weak access controls, and misconfigured security settings, providing the data needed to prioritize and mitigate these risks effectively.

Devices in Scope


Any device connected to ASU’s network may be subject to network scanning. Examples include:

  • Servers and systems: Both in ASU’s datacenter and CoLo datacenter
  • Audio/Video equipment: Used in classrooms, conference rooms, or other shared spaces
  • SCADA systems: Devices supporting Supervisory Control and Data Acquisition operations
  • Administrative systems: Supporting compliance, research, or enterprise processes
  • Global and management devices: Ensuring critical infrastructure remains secure

If your device is connected to ASU’s network, it is likely included in our network scanning program to maintain a secure and resilient environment.

 

Why is Network Scanning Important?
Network scanning is essential for protecting ASU’s infrastructure, systems, and sensitive data. It helps identify vulnerabilities before they can be exploited by malicious actors and supports the following objectives:

  • Secure launches of new systems: Scans ensure that systems are secure before they go live.
  • Responding to significant changes: When systems are upgraded, modified, or replaced, scans confirm that security is not compromised.
  • Enhancing security reviews: Scans provide actionable insights to confirm systems meet ASU’s stringent security standards.
  • Ongoing protection: Regularly scheduled scans and on-demand assessments ensure continuous security monitoring.
  • Addressing Risks Through Network Scanning: Network scanning is a vital tool for identifying risks that could lead to breaches or disruptions. 

Common risks addressed include:

  • Unsecured network services: Identifying unnecessary or exposed services that could be exploited.
  • Weak or misconfigured security settings: Highlighting areas needing immediate correction.
  • Unpatched vulnerabilities: Detecting outdated software or operating systems that require updates.

The "Why" Behind Network Scanning

The primary reason for network scanning is to safeguard ASU’s digital ecosystem and reduce risk exposure. With a diverse and interconnected network that supports research, academics, and administrative functions, it is critical to protect sensitive data and ensure system reliability. Network scanning minimizes the likelihood of successful cyberattacks, mitigates potential operational disruptions, and ensures compliance with ASU’s security policies and applicable regulatory standards.

By proactively identifying and addressing vulnerabilities, ASU strengthens its defenses, protects its community, and upholds its commitment to fostering a secure and resilient digital environment. Network scanning is not just about identifying problems—it’s about ensuring that ASU’s systems, data, and users remain secure and protected.

Visit the ServiceNow knowledgebase to get started.

Web App Scanning

Web application scanning is a vital security measure that helps protect ASU’s websites and applications from cyber threats. In today’s digital landscape, malicious actors constantly exploit vulnerabilities to gain unauthorized access, steal sensitive data, and disrupt operations. Web application scanning is designed to proactively identify and address these risks, ensuring the university's digital ecosystem remains secure and resilient.

This process involves a thorough analysis of an application’s code, configurations, and dependencies to uncover vulnerabilities specific to web applications, such as cross-site scripting (XSS), SQL injection, weak authentication mechanisms, insecure configurations, and exposed sensitive data. The results of these scans provide detailed reports that enable teams to prioritize and remediate risks effectively, preventing potential breaches and safeguarding the university’s critical resources, including student, faculty, and research data.

Web application scanning is not just a best practice—it is a requirement. It plays a crucial role in protecting ASU’s critical assets, maintaining compliance with security standards, and demonstrating ASU’s commitment to upholding the trust of its community and stakeholders. Without regular scanning and proactive remediation, vulnerabilities can go unnoticed, increasing the risk of breaches that could result in reputational damage, financial loss, and harm to students, faculty, staff, and external partners.

By scanning web applications, ASU takes a proactive stance against cybersecurity threats, ensuring the security, privacy, and integrity of its digital environment while fostering a safe online experience for its entire community.

Visit the ServiceNow knowledgebase to get started.

Request Your First Scan

Step 1. Read the application scanning FAQs

Step 2. Allow scanner IP addresses through your firewall

Step 3. Grant normal end-user access to a test user.

     Single Sign-on applications: Use our designated test account

     Standalone applications: Create a test user and provide us the credentials

Step 4. Backup your site. (Scans can be destructive.)

Request a scan

 

 
Get Protected | Arizona State University

Contact Us

About
About Us
Resources
Policies & Standards Remote Work
Services
Inaccessible Incidence Response Vulnerability Management
Maps and Locations Jobs Directory Contact ASU My ASU
Repeatedly ranked #1 on 20+ lists in the last 3 years
Copyright and Trademark Accessibility Privacy Terms of Use Emergency