Security Vulnerability Management Clause Samples
The Security Vulnerability Management clause outlines the obligations and procedures for identifying, reporting, and addressing security vulnerabilities within a system or service. Typically, it requires regular vulnerability assessments, prompt notification of discovered issues, and timely remediation efforts, such as applying patches or implementing workarounds. This clause ensures that both parties proactively manage security risks, reducing the likelihood of data breaches or system compromises and maintaining the integrity and trustworthiness of the service.
POPULAR SAMPLE Copied 1 times
Security Vulnerability Management. Company shall maintain a vulnerability management program to identify and remediate security vulnerabilities within computing systems. This includes regular testing and a record of System remediation. Toolsets used to identify vulnerabilities are maintained with up-to-date vulnerability signatures. Results of vulnerability testing are utilized to craft an annual penetration test of Systems and networks perceived as high risk, high value, or demonstrating a need for further scrutiny. All newly deployed Systems or Systems that have experienced a high level of change will be scanned for vulnerabilities prior to production. Highly orchestrated environments with appropriate change control may be exempt from pre-deployment scanning.
Security Vulnerability Management. Scitara will operate a vulnerability management programme and capabilities that routinely identifies security risks, vulnerabilities, and issues with infrastructure, applications, systems, and processes used to support, store, process, and track the Software Services, Customer Data, and Usage Data. Further, Scitara shall remediate security risks, vulnerabilities, and issues within the terms set forth in B.11.1, B.11.2, and B.11.3.
(a) Critical risk vulnerabilities, CVSS score of 9.0 or higher, shall be remediated within 7 calendar days or less,
(b) High risk vulnerabilities, CVSS score of 7.0 to 8.9, shall be remediated within 30 calendar days or less,
(c) Medium risk vulnerabilities, CVSS score of 4.0 to 6.9, shall be remediated within 60 days or less, and
(d) Low risk vulnerabilities, CVSS score of 0.1 to 3.9, shall be remediated within 90 days or less.
Security Vulnerability Management. The Customer must ensure that all Customer Systems that store, transmit, or process Customer Data and Comtrac Data undergo vulnerability scans on a regular basis (at least once a month); and Immediately after any system change. If a vulnerability scan performed by the Customer reveals any vulnerabilities, the Customer must immediately take all steps to remediate such vulnerabilities and report to Comtrac, detailing the vulnerabilities and their remediation action taken as soon as practicable. Protection from Malware In the event that the Customer uses Customer software to access the Comtrac Services, the Customer must ensure no backdoor, time bomb, trojan horse or other computer software enables access to a third person not authorised by Comtrac. The Customer must use all reasonable endeavours to ensure that the Comtrac Services are not compromised by malware. The Customer must use anti-malware controls to help avoid malicious software gaining unauthorised access to Customer Data and Comtrac Data including malicious software originating from public networks. Denial of Service Protection The Customer must ensure that all Customer Systems and devices used to access and use the Comtrac Services are protected from Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks with appropriate technologies and solutions. Penetration Testing The Customer must engage an independent third party to perform (at its own expense) and as least once every 12 (twelve) months, penetration testing and ethical hacking activities on the Customer Systems (and solutions and software if applicable) used to access and use the Comtrac Services. Where the results of the penetration testing negatively and materially impact the Comtrac Services, the Customer shall notify Comtrac as soon as reasonably possible, making the relevant results of the testing available to Comtrac. The Customer and Comtrac shall agree on a plan to rectify the vulnerabilities with immediate effect, prioritised by criticality. Back-ups The Customer must document and implement a backup policy which takes daily copies of Customer Data and Customer Systems used in the acquisition and use of the Comtrac Services, including for system administration; Patching; and Change management to ensure that the Customer is able to determine the Customer database restore point for database rollback purposes. The following daily backups must be retained for at least three months: New and material changes; and Softwar...