: skip to content : Home : Uni : Students : Research : Community : News : Events
150 years of Achievement: image of university student
Faculties : A-Z Directory : Library
  • Current Issues
    • CVAS FAQ
-----------

Central Vulnerability Assessment Service (CVAS) FAQ


    The Central Vulnerability Assessment Service (CVAS) is a client focussed service run by the IT Security Team. The IT Security Team is part of IT User Services (ITUS) which in turn is a part of Information Services (IS).

  1. What does CVAS do? CVAS performs independent vulnerability assessments and identifies current and potential IT Security risks for faculties, departments and affiliates of The University of Melbourne. CVAS staff work with IT Managers and local IT staff to perform the assessment and then report on its findings and provide risk mitigation recommendations.

  2. Who can use CVAS? CVAS is available to all logical units of The University but faculties and departments are prioritised above affiliates. There is no chargeback for services provided by CVAS.

  3. How can I request a Vulnerability Assessment (VA)? Assessments can be requested by emailing it-security@unimelb.edu.au. Please include the total number of hosts (servers, workstations, switches) to be assessed and the number of support staff allocated to managing these hosts. Faculties/departments with low support staff to host ratios are given priority when scheduling assessments.

  4. And if I don't request an assessment? If you don't request an assessment you may be chosen for one. Eventually all logical units of The University will be assessed. Again, faculties and departments with low support staff to host ratios will take priority, as will areas where IT Security incidents have occurred more frequently in the past.

  5. So what does a CVAS VA actually entail? There are three main components; Network Vulnerability Assessment (NVA), Host Vulnerability Assessment (HVA) and Policy and Procedure Vulnerability Assessment (PVA). Details of what each of these entail and the tools used and procedures followed to perform them is beyond the scope of this FAQ but can be provided on request.

  6. What sort of information will be contained in the VA report? Vulnerabilities identified will be categorised by severity as either low, medium, high or critical. These categories correspond to numerical scores from 0 to 50 where 50 is highly critical. Any factors that mitigate the risk resulting from an identified vulnerability will result in the initial score being multiplied by a value of < 1 resulting in a lower score.

  7. What is the Site Security Rating (SSR)? Each of the NVA, HVA and PVA begin with a score of 200. Points are deducted from this starting score down to a minimum of 0. The sum of the final scores for each of the three gives the SSR out of a possible total of 600.

  8. What are the benefits to LITEs and IT Managers of having a VA performed? A VA provides valuable information that many IT Teams may not ordinarily have the time or resources to collect. Vulnerability identification and risk mitigation result in reduced exposure to potential IT Security incidents and increased peace of mind. CVAS also produces a VA report for a non-technical audience and is able to assist IT Managers and LITEs with negotiating sufficient resourcing to meet security requirements. The assessment process also provides opportunities for sharing of knowledge and best practice across The University and for LITEs to acquire new or enhance existing skills. Finally, a followup assessment can be performed to confirm the efficacy of any measures implemented.

  9. Can you reassure me that any vulnerabilities you discover will be treated in the strictest of confidence? Absolutely! Although "Security by Obscurity" is a discredited strategy, CVAS staff treat VA results in the strictest of confidence. Only the person requesting the VA and members of their IT staff they nominate will have access to the results of the VA.

  10. Can I utilise CVAS without having a complete VA? Certainly! CVAS staff are keen to assist IT staff across The University with specific security advice and recommendations, particularly during the design and implementation stages of projects. This advice can be network, host or policy & procedure related. CVAS staff also participate in the development and provision of other services offered by IS that may assist LITEs to improve IT Security in their own areas.


If you have any further questions related to CVAS or other services provided by the IT Security Team please email it-security@unimelb.edu.au.

top of page

Contact Us : Disclaimer & Copyright : Privacy