Cyber-scanning tools are used to measure compliance with cybersecurity guidelines and controls and must be used with due care. Cyber-scanning tools are also used for troubleshooting system problems or tightening system security. The process is an information gathering process when performed by authorized individuals and can be considered a prelude to a cyber-attack when performed by unauthorized individuals. There are protocols that should be followed to ensure proper use of the scanning tools to prevent interference with normal university operations and to minimize risk.

Guidelines & Protocols University Assets

  • Cyber-scanning of university owned resources should only be done under certain circumstances by authorized individuals with a specific objective.
  • Cyber-scanning parameters, restrictions, and time periods during which scans of university owned resources are performed shall be documented with an audit trail of scan results.

Guidelines & Protocols 3rd Party Assets

When cyber-scanning tools are used for scanning assets owned by 3rd party organizations, there can be legal risks that need to be managed by individuals and the university.

  • While not explicitly illegal, cyber-scanning of 3rd party organizations without explicit permission can lead to undesirable consequences. Cyber-scanning without authorization can violate the organization’s client use policy (CUP). The organization may identity the offending IP address, date and time stamp and thereby correlate and attribute it to a disruption to services, resulting in financial losses. The organization may report the unauthorized scan to an IP abuse or blacklist service.
  • The amount of risk associated with cyber-scanning is largely based on whether it’s authorized. Authorized individuals should always secure written authorization from the target organization before initiating any 3rd party scanning.
  • Cyber-scanning parameters, restrictions, and time periods during which scans of 3rd party owned resources are performed shall be documented with an audit trail of scan results.

For a better understanding of how and when to use cyber-scanning tools while keeping the university’s risk to a minimum, authorized Information Services individuals should consult with the university’s Information Security Officer.