Skip to main content

System Status: 

  1. Home
  2. Technology
  3. Security
  4. Secure Connect
  5. Required Software
  6. Qualys Vulnerability Management (VM)

Qualys Vulnerability Management

Last Updated: May 21, 2025 12:25:06 PM PDT
Give feedback

Learn more about Qualys Vulnerability Management (VM) security software.

In response to the cybersecurity expectations issued to all UC locations by UC President Drake and the UC Regents, UC San Diego has implemented the Secure Connect program to protect the safety and security of UC systems. One of the expected cybersecurity outcomes is that all UC locations must ensure identification, tracking and vulnerability management devices accessing trusted resources. Vulnerability Management software is an endpoint (e.g., computers, laptops, etc.) security solution that continuously assesses security risks, identifies known vulnerabilities, misconfigurations, and outdated software that could be exploited by attackers.

Qualys is a UC-approved solution that has been adopted for UC San Diego Campus to meet university cybersecurity requirements.

Important: Enrollment in Qualys does not constitute consent under the Electronic Communications Policy. Users should review policy guidelines to understand how their data is managed.

Key Features of Qualys VM

  • Qualys VM is a university-approved tool that helps identify and address security weaknesses in devices connected to campus networks.
  • It performs automated, lightweight scans to detect known vulnerabilities, helping IT teams patch risks before they’re exploited.
  • Used by thousands of institutions globally, Qualys is part of the UC systemwide strategy for improving cybersecurity posture.
  • The tool does not monitor personal activity, access files, or track location, it’s focused purely on identifying software and configuration vulnerabilities.

Learn more about Qualys VM

How Qualys VM will be used

Qualys VM will be used to:

  • Scan devices for security vulnerabilities, missing patches, and outdated software.
  • Provide reports on risks, allowing IT teams to remediate security issues.
  • Identify misconfigurations that could expose university assets to cyber threats.
  • Support compliance with UC-wide cybersecurity policies.

For example, if a vulnerability in Zoom is detected on an endpoint, Qualys will:

  • Record the computer name and operating system.
  • Identify the version of Zoom installed.
  • Flag the vulnerability and notify IT of the required update.

Qualys VM will not be used to:

  • Monitor personal files, emails, or private documents.
  • Record keystrokes or user behavior unrelated to security.
  • Restrict users from installing software, but will notify IT of security risks.

For more details, refer to the Office of Information Assurance (OIA) Routine System Monitoring Practices.

What You Need to Do

Determine if you need access to trusted resources first.

To connect to trusted resources through UCSD-PROTECTED Wi-Fi, Campus Virtual Private Network (VPN), or our Wired networks, your device must meet a set of mandated security standards including Qualys VM.

  • Managed devices (by a designated Unit Information Security Lead) will be handled automatically.  No action is required.
  • Unmanaged (personal or self-managed) devices will require installation of Microsoft Intune or an approved exception. Microsoft Intune will automate steps required to meet mandated security standards including the installation of Qualys VM.
While most devices can seamlessly comply with University cybersecurity requirements, we understand that some equipment may not be compatible or require special handling. In such cases, exceptions may be granted subject to compensating controls. Please partner with your local Unit Information Security Lead (UISL) to discuss options.

 Exception Request form coming soon.

Why This Matters: A Shared Responsibility

UC San Diego is a leader in research, innovation, and education. Cybersecurity is a shared responsibility, and by adopting Qualys, we:

  • Protect research and sensitive data from cyber threats.
  • Ensure compliance with UC-wide cybersecurity policies.
  • Preserve academic freedom while maintaining security.
  • Maintain access to essential resources without disruption.

Need IT Support?

Campus Service Desk

Health Service Desk

 

Frequently Asked Questions

Why Qualys and why now?

Ensuring that 100% of endpoints accessing UC San Diego trusted networks have Qualys installed is a key initiative of the Secure Connect program. This effort aligns with a broader UC system-wide mandate issued by the UC President, directing all campuses to enhance their cybersecurity posture.

How does Qualys Work?

  • Continuous Security Scanning: Identifies security gaps and prioritizes remediation efforts.
  • Risk-Based Prioritization: Helps IT focus on critical vulnerabilities first.
  • Integration with EDR (Trellix): Works in conjunction with endpoint security for layered protection.

What data does Qualys collect?

  • Qualys scans for security vulnerabilities, collecting only necessary technical information related to system health and security posture. 
  • Data Collected:
    • Device Information: OS, hardware specs, network details.
    • Software Inventory: Lists installed applications and versions.
    • Security Vulnerabilities: Identifies outdated or misconfigured software.
    • Patch Management Data: Determines if security updates are applied.
  • Data Not Collected:
    • Personal files, emails, or communications.
    • Keystrokes or user activity unrelated to security.
    • Browsing history or online activities.

How Long is Qualys Data Retained?

  • Security scan data is stored in accordance with OIA data retention standards.
  • Data is retained only as long as necessary for security compliance and is not shared beyond authorized UC San Diego IT staff.