Re: Vulnerability Assessment Requirements

[Mike Wiseman <mike.wiseman () UTORONTO CA>]

Hi,

For vulnerability assessment, we currently focus on Microsoft critical updates and service packs. With our system, 
network administrators decide when to require their users to run the test - if they fail, there is no grace period. We 
encourage a 'monthly check' policy roughly corresponding to Microsoft's Tuesday releases. We're working on adding 
antivirus status and elementary password audit checks.

Mike

Mike Wiseman
Manager - Computer Security Administration
Computing and Networking Services
University of Toronto


  I am throwing this question out there to schools who have implemented a vulnerability assessment solution such as 
CCA, Impulse Point, or Campus Manager.  (Note, I am not trying to start a debate on one versus the other.)  We are 
working to get CCA ready for our students this fall and I was wondering what other schools have decided upon regarding 
the requirements they are imposing on their student's PCs.  With CCA you can check for a lot of things: service packs, 
Microsoft updates, existence of anti-virus software, the age of antivirus definition, installed programs, a missing 
installed program, etc.  I am curious to find out what requirements other schools have used?  Do you allow a grace 
period or do you require that new updates and virus definitions are necessary as soon as they become available?  

  Thanks in advance,
  Chris Brown
  Information Technology Services
  Network/Telecom Administrator
  Regis University, Denver CO