Home :: Content

ASU Web Infrastructure Scanning - 18 Month Audit Requirement


Quick View
Summary: 

As a recommendation resulting from the Auditor General's 12 month Information Technology Security Audit report, the University Technology Office will begin to regularly scan and require remediation of any web application at ASU. This will include scanning and reviewing new applications before they are sent migrated to production, existing applications if they are due for significant code changes, and any web application in the ASU domain on a schedule based on criticality.

Start Date: 
September 28, 2009
Go Live: 
December 7, 2009
End Date: 
January 4, 2010
Current Milestone: 
11/25/2009 - Documenation Approved
Stage: 
On track
People
Sponsor/Champion: 
Adrian Sannier, Vice President and University Technology Officer
Lead Customer: 
Tina Thorstenson
Project Manager: 
Noel Lindner
Associate VP University Technology: 
Tina Thorstenson
More Info
Source: 
Executive
Department: 
UTO
Priority: 
High
Scope: 
  • Identify and produce list of web applications at ASU
  • Write process to identify these web applications
  • Write & publish guidelines to determine criticality of web based applications based on data classification
  • Identify criticality of the application based on data classifications
  • Write guidelines for scanning new and existing web applications & documenting results
  • Create scan schedule based on the criticality of the application and server
  • Procure and Deploy scanning mechanism/application
  • Prepare published procedure for new applicaitons and code changes that includes a required scan
  • Identify and prepare published procedure for regularly scanning applications
  • Complete a domain wide scan of all known web applications
Deliverables: 
  • Inventory of web applications with criticatlity
  • Complete scan results for a 1 time scan
  • Scan results for any web applicaiton sent to production after process has been implemented
  • Guideline on how to identify web applications within ASU
  • Published procedures
    • Identifying criticality of an application
    • When and how the UTO will scan existing known web applications
    • Migrating a web application to production
Syndicate content