Vulnerability Scanning Policy

Policy Purpose

This policy covers scanning for security vulnerabilities on devices exposed to the internet or devices. This is a security standard as well as a PCI regulation.

Policy Statement

It shall be the policy of the University of Arkansas-Fort Smith to scan all devices that have addresses outside the firewall or in the DMZ. Scans that rate a 4 or 5 out of a 1-5 scale should be reviewed for remediation according to PCI DSS.

Applicability

This policy applies to all University employees, contractors, or vendors.

Definitions

• PCI = Payment Card Industry
• PCI DSS = Payment Card Industry Data Security Standard
• DMZ = Demilitarized Zone

Policy Procedure

The IT department shall use software tools to scan outside ip addresses for vulnerabilities on a monthly basis. 

Enforcement

The IT department is responsible for reviewing the monthly scans for vulnerabilities.

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

None Applicable

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on 11/3/2017

Last Updated

10/3/2025 – Reformatted for accessibility by Terry Meadows Director of IT/CIO