1. How to request a scan
2. Scan frequency
3. Requestor and scan requirements

Submit a request via the Enterprise Service Centre (ServiceNow).

• The request form will require you to provide the application details (e.g. URL, hosting environment, criticality level).
• The Risk Management team will schedule and execute the scan based on priority and availability.
• Once completed, a report will be attached to your Enterprise Service Centre ticket with scan findings and recommendations.

• Scan frequency depends on application criticality and risk level.
• Certain critical apps (e.g. REDCap) are scanned quarterly.
• Teams should adjust frequency based on criticality and compliance requirements.

• Must be the service or application owner or have written approval
• Must have authority to approve scans and implement mitigations

• Critical applications (e.g. those handling sensitive Level 3 and Level 4 data)
• Applications approaching go-live
• Applications with significant changes
• Routine or periodic scans

• License allows 50 scans per quarter
• Requests may be queued or limited if demand exceeds capacity