To manage software and network vulnerabilities and protect university data and systems, Information Assurance (IA) works in partnership with units to identify vulnerabilities and ensure remediation in compliance with Vulnerability Management (DS-21) and other U-M policies.
IA also conducts penetration tests, a more intrusive active exploitation of security vulnerabilities, only at the request of units or system owners that want to proactively test a critical system.
Scanning
- IA conducts regular vulnerability scans. These automated scans are designed to identify software vulnerabilities, missing system patches, and improper configurations. All U-M networks are scanned bi-monthly, and units can request on-demand and more frequent scans at no charge. See Vulnerability Scanning Capabilities.
- Units receive scan results and recommendations from IA. See a Sample IA Scan Report.
Notifications
- IA alerts units to new vulnerabilities. IA tracks reports of new vulnerabilities and posts information about them at Security Alerts, as well as sending that information via email to appropriate IT staff groups.
- Units are expected to follow IA recommendations for addressing newly discovered vulnerabilities.
Remediation of Vulnerabilities
- Units remediate unit vulnerabilities. Units are expected to prioritize and remediate vulnerabilities within a timeframe based on the severity of the vulnerability. See Vulnerability Remediation.
- Units are expected to routinely update unit software and systems and apply vendor security patches after appropriate testing.
- U-M IT providers, such as Information & Technology Services (ITS) and Health & Information Technology Services (HITS) are expected to remediate vulnerabilities in the services they provide and to routinely update software and systems and apply vendor security patches after appropriate testing.
Support and Consultation
The IA Vulnerability Management team offers support and consultation. Contact the team through the ITS Service Center
Applicable University Policies
You are responsible for complying with the policies and standards below. The requirements on this page help you meet that responsibility.