Vulnerability Remediation Policy
This policy establishes a framework for identifying, assessing and remediating security vulnerabilities on all managed systems connected to School or University networks to protect School and University information assets, as well as the privacy of individual students, faculty, staff and other entities which the School has obligations.
All systems connected to School or University networks are subject to the vulnerability remediation policy. This includes web applications, servers, School managed devices, vendor owned devices, and personal devices that are connected to the networks; however the primary focus will be on critical systems as listed in the critical components database.
For the purposes of this policy, unless otherwise stated, the following definitions shall apply:
University of Pennsylvania
University of Pennsylvania School of Nursing
Information Technology Services at the University of Pennsylvania School of Nursing
Any device, database, server or web application
In an effort to reduce risk to School infrastructure and supplement existing security practices, routine vulnerability scans will be performed on all critical systems. Scans will attempt to detect any operating system and application vulnerabilities.
Critical Components Database: The ISC Information Security Office and the Office of Audit, Compliance and Privacy use the Critical Components database as their primary information source when scheduling vulnerability scans. System administrators and/or information system owners are required to update the database when new systems are installed, and should perform an annual review of the Critical Components database, and notify the ISC Information Security Office of any modifications. System and application administrators are responsible for the assessment of scan reports and application of security solutions that impact systems under their management and supervision.
Servers: The ISC Information Security Office performs routine vulnerability scans on information systems that have been designated as critical components. ITS may also perform scans on School managed end points. It is imperative that weaknesses be addressed in a timely manner, therefore upon completion of scans and the distribution of reports information system administrators are required to promptly review findings and adopt a course of action to mitigate identified vulnerabilities and correct or implement mitigating measures.
Web Applications: The Office of Audit, Compliance and Privacy performs routine vulnerability scans on a sampling of web applications that have been designated as critical. It is imperative that weaknesses be addressed in a timely manner, therefore upon completion of scans and the distribution of reports application administrators are required to promptly review findings and adopt a course of action to mitigate identified vulnerabilities and correct or implement mitigating measures.
Pre-Production Scans: Information system and application administrators must complete a vulnerability scan of any critical component system before the system goes into production.
Unscheduled Scans: Information system and application administrators should complete a vulnerability scan of any critical component system whenever major modifications are made to the system.
It is the responsibility of system and application owners to ensure the policy described in this document is followed. IT administrators understand that the secure implementation of systems and applications is a critical part to Penn Nursing’s overall information security strategy. ITS is authorized to limit network access for servers and devices that do not comply with this policy.
ITS Computing Policy
All School users must also comply with the ITS Computing Policy as well as all University Information Systems & Computing (ISC) Computing Policies and Guidelines.
To review the ITS Computing Policy, please visit:
To review the ISC Policies and Guidelines, please visit:
Information Technology Services (ITS)
Tej M. Patel, Sr. Director & Penn Nursing CIO
Note: This policy is subject to change without prior notice, if necessary, to keep in compliance with University policies.