Vulnerability management is the ongoing practice of identifying, classifying, remediating, and mitigating vulnerabilities (or weaknesses) in software. It is integral to good computer and network security. The Information Security Office (ISO) provides products from Qualys to aid in scanning and monitoring workstations, servers, and websites for vulnerabilities.
This service is intended for system administrators of the University who manage hosts which are considered critical to the mission of the University or which house University-owned sensitive information.
If you are interested in signing up for Qualys services, you can reach us by:
- ITS Service Desk
- ITS Security
Please see Technical Contact information below.
- On-campus scanning of systems storing sensitive, University-owned information
- Off-campus scanning of sensitive, University-owned systems by special arrangement
Technical Support Contact Information
Technical support for Vulnerability Management is provided by contacting the ITS Service Desk by any of the following methods:
- Phone (919) 962-HELP (4357)
- Chat: https://help.unc.edu/chat
- Online Help Request: http://help.unc.edu/help/olhr/
- Twitter: @unchelpdesk
- Facebook: unchelpdesk
- YouTube: unchelpdesk
- Instagram: unchelpdesk
SLA Response Times
- Critical* tickets will be acknowledged within 15 minutes after receipt.
- Important** tickets will be acknowledged within 8 business hours after receipt.
- General*** tickets will be acknowledged within 3 business days after receipt.
* Critical ticket: ISO considers a ticket critical when there is a work stoppage (e.g. outage) impacting: (1) a University business or business service; or (2) an employee responsible for completing mission critical work.
** Important ticket: A request for support in the normal course of University business.
*** General ticket: A request for information regarding configuration or performance (e.g. troubleshooting, request for logs, etc).
For University-owned mission critical and sensitive servers:
- 60-day and 75-day out of compliance reports are generated and shared with system administrators.
- Requests for exceptions and false positives are reviewed on a monthly basis by the Vulnerability Panel Review (VPR) committee. These requests may be made by following the steps outlined here: https://sai.unc.edu/exceptions-and-false-positives/
Service Metrics / Service Goal metrics
The goal is to provide assurance that all non-compliant servers are promptly remediated or escalated to management, possibly resulting in disconnection from the UNC-Chapel Hill network.
Qualys is a vendor-hosted system. Maintenance will be conducted based on the nature of the circumstance and the change management schedule adopted by the vendor. Planned and unplanned outages are listed on the login screen of the Qualys application.
Hours Of Operation
The Information Security Office business hours are 8:00 AM to 5:00 PM on days that the University operates.
24/7 on-call support is available for critical tickets.
Customers should be aware of ITS policies, including the following:
- Vulnerability Management Policy: https://its.unc.edu/files/2014/08/Vulnerability-Managment-Policy.pdf
- Standard for Vulnerability Management: https://its.unc.edu/files/2016/02/Standard-for-Vulnerability-Management.pdf
- User/customer responsibilities are outlined at the following link: https://sai.unc.edu/getting-started/checklist/
- Qualys provides extensive information on their website: http://qualys.com/training
Please contact the Information Security Office, or open a Remedy ticket, if you no longer need access to the Qualys system.
Out of Scope
The Information Security Office currently does not support scanning applications besides Qualys. Qualys is only used to scan IP space internal to the UNC-Chapel Hill network.
Instructions on using Qualys to scan your systems: https://sai.unc.edu/tutorials/