How to respond to vulnerability assessment reports
Vulnerability assessments are an important component of IT Security. Radford University conducts these assessments twice a year and sends the resulting reports to the responsible system owners. As a system owner, when you receive vulnerability assessment reports (Nessus and/or Rapid7), here is what you should do:
Respond to each item in the reports in 1 of 3 ways:
- Respond that the item is a false-positive and cite why; or
- Respond that the item will be corrected, the method used to correct and the date it will be corrected by; or
- Respond that the item will not be corrected because it is an acceptable risk (System Owners must explicitly acknowledge and accept these risks while providing justification for doing so).
Notes: Do not respond to Low issues in the Nessus reports, only Medium and High issues. Do not respond to Moderate issues in the Rapid7 reports, only Critical and Severe issues. If the exact same issue is identified in multiple reports for one host, only one response is required. For example, if both the Rapid7 and Nessus reports show that a host has a self-signed SSL certificate, only one response is required, not two responses. Should a report contain redundant issues, only one aggregate response is required. For example, if weak encryption ciphers, medium encryption ciphers and SSLv2 support are all listed as issues for the same host, create a title "SSL issues" and simply respond to that rather than each individual SSL issue.
As a system owner, when you receive nmap port scan reports, here is what you should do:
Respond to each open port (or each server) in the reports in 1 of 3 ways:
- Respond that the port is required and expected to be open to provide a service; or
- Respond that the port is not required to be open and the date it will be closed by; or
- Respond that the server ports listed as open are expected to be open and are required to provide services.
IT Security requires that each item in these reports are addressed (in the above manner) within 21 days of receiving the report. Here is a response template that may be used to respond to the issues with examples showing how to respond. If you have questions or concerns, please contact the university IT Security Officer.