DST Security Assessment Sample Clauses

DST Security Assessment. As part of DST’s Security Assessment, DST will: (i) conduct vulnerability scans and penetration assessments, including activities performed by management and contracted third parties, at least once annually on internal and external systems and applications that may receive, access, process or store Fund Confidential Information at DST’s expense. The penetration test must be performed by an independent third party, or if the penetration test is performed by DST, then it must be performed by a party independent from the team implementing security controls. The scope of the vulnerability and penetration testing must include all production information resources and contingency plans and any other information resources within DST’s organization that interact with, or provide access to, Fund Confidential Information or systems. DST will provide Fund with a letter confirming the testing has been performed. Fund is not permitted to conduct penetration testing or other code scanning on DST’s environment and software; (ii) evaluate the results of the vulnerability scans and Remediate Security Exposures deemed material by DST’s personnel as reasonably appropriate, taking into account facts and circumstances surrounding such issues; (iii) Mitigate Security Exposures discovered and deemed material by DST’s personnel within a reasonably appropriate time period. . (iv) employ automated mechanisms no less than annually to detect the presence of unauthorized software on DST information systems. This must update the list of information system vulnerabilities scanned within every three hundred sixty-five (365) days or when new vulnerabilities are identified and reported. Vulnerability scanning tools and techniques must be employed that promote interoperability among tools and automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations and formatting, as well as making transparent, checklists and test procedures that measure vulnerability impact; and (v) provide reasonably detailed results for vulnerability and penetration testing relating solely to Fund clients to Fund or a Fund representative. A reasonably detailed summary of results will include: (i) the date the original test was performed; (ii) the name of the company that performed the test if a third party was used; and (iii) the scope of the test, including authenticated or unauthenticated testing.