To provide for the security of IT Assets, the Office of the CIO routinely scans devices attached to the OSU Network for security vulnerabilities.  Scan results are delivered to College and Department representatives.  The OCIO works with these units and provides consultation to ensure that any vulnerability found is remediated.  

This service includes:

• Every device on the OSU Network with a valid Internet Protocol (IP) address is scanned once per month for network security vulnerabilities, such as threats to the confidentiality, integrity, and availability of information and services.  Scans meet the Computer Division Standards of the National Institute Standards and Technology (NIST).

• Results of the scans e-mailed to the Departmental Network Administrator (DNA) of record for the IP address for the scanned device.

• Consultation to assist customer in remediating vulnerabilities.

• Notifications of unresolved vulnerabilities provided via e-mail to unit leadership.

• Tracking of vulnerabilities.

Scans outside the regular monthly scan are available on request.

There is currently no charge for the use of this service.

Any device with a valid IP address on the OSU network will be scanned.  OSU Network administrators and specially designated security liaisons are eligible to receive reports and notifications.

Consultation regarding reports or for assisting in the remediation of any vulnerabilities can be requested by sending e-mail to security@osu.edu or by calling 614-688-5650 (8-5650 from any campus phone).

Additional scans can be requested by sending e-mail to security@osu.edu.

For general questions about scanning, visit our scanning FAQs.

There is no direct billing to customers of this service.

Common Service Information & Service Level Targets: Apply to all OCIO IT Services. Document requires OSU Internet Username (name.#) and password to view.

Service Specific Parameters: The following are specific to this service and supersede the corresponding sections in the Common Service Information & Service Level Targets document:

Service Hours and Availability: All devices on the OSU network will be scanned monthly. The scans are run 24/7 starting at the beginning of each month, ending for the month when all devices have been scanned.  This process is documented in the OSU Vulnerability Management Procedures.

Non-emergency consultation and assistance is available during published University Business Hours. 

Off-cycle scanning requests are performed within 4 business days of the receipt of the request.

Emergencies are handled 24/7/365 by calling 614-688-5650.  Customers can expect a one-hour response time to emergency messages.

Monitoring and Reporting:

A service level report is generated monthly (in addition to, and separate from the DNA reports) listing:

• The number of hosts scanned that month across OSU
• The number of Critical, High, Medium, Low vulnerabilities detected.

The contents of a Risk Register (things we knew would be there, that are accepted risk).

Departments are expected to acknowledge any critical or high vulnerability within 5 days, and to remediate these vulnerabilities within 30 days. 

To ensure Network Vulnerability scans are provided to the Departmental Network Administrator registered for the IP address of the device, it is critical that the unit provide current contact information to Office of the CIO (e-mail 8help@osu.edu with the information).