VULNERABILITIES AND CORRECTIVE ACTION Clause Samples

VULNERABILITIES AND CORRECTIVE ACTION. 10.1 The Authority and the Supplier acknowledge that from time to time vulnerabilities in the Information System will be discovered which unless mitigated will present an unacceptable risk to the Data. 10.2 The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the Information Risk Management Documentation and using the appropriate vulnerability scoring systems including: 10.2.1 the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS as set out by NIST ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and 10.2.2 Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 10.3 The Supplier shall procure the application of security patches to vulnerabilities in the Information System within a maximum period from the public release of such patches with those vulnerabilities categorised as ‘Critical’ within 7 days of release, ‘Important’ within 30 days of release and all ‘Other’ within 60 Working Days of release, except where: 10.3.1 the Supplier can demonstrate that a vulnerability in the Information System is not exploitable within the context of the Services (e.g. because it resides in a software component which is not running in the service) provided vulnerabilities which the Supplier asserts cannot be exploited within the context of the Services must be remedied by the Supplier within the above timescales if the vulnerability becomes exploitable within the context of the Services; 10.3.2 the application of a ‘Critical’ or ‘Important’ security patch adversely affects the Supplier’s ability to deliver the Services in which case the Supplier shall be granted an extension to such timescales of 5 days, provided the Supplier had followed and continues to follow the security patch test plan agreed with the Authority; or 10.3.3 the Authority agrees a different maximum period after a case-by-case consultation with the Supplier under the processes defined in the Information Risk Management Documentation. 10.4 The Information Risk Management Documentation shall include provisions for major version upgrades of all Supplier Software and Third Party Software which are COTS Products to be kept up to da...
View SourceView Similar (10)
VULNERABILITIES AND CORRECTIVE ACTION. 9.1 Contractors shall procure and implement security patches to vulnerabilities in accordance with the timescales specified in the NCSC Cloud Security Principle 5. 9.2 Contractor must ensure that all COTS Software and Third Party COTS Software be kept up to date such that all Contractor COTS Software and Third Party COTS Software are always in mainstream support.
View SourceView Similar (8)
VULNERABILITIES AND CORRECTIVE ACTION. The Parties acknowledge that from time to time vulnerabilities in the ICT Environment and ISMS will be discovered which, unless mitigated, will present an unacceptable risk to Information Assets and/or Authority Data.
View SourceView Similar (3)
VULNERABILITIES AND CORRECTIVE ACTION. 9.1 The Authority and the Supplier acknowledge that from time to time vulnerabilities in the Information Management System will be discovered which unless mitigated will present an unacceptable risk to the Authority Data. 9.2 The severity of vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the Information Security Management Document Set and using the appropriate vulnerability scoring systems including: 9.2.1 the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST at ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and 9.2.2 Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 9.3 Subject to Paragraph 9.4, the Supplier shall procure the application of security patches to vulnerabilities in the Information Management System within:
View SourceView Similar (2)
VULNERABILITIES AND CORRECTIVE ACTION. 7.1 The Authority and the Service Provider acknowledge that from time to time vulnerabilities in the Authority’s System, the Service Provider’s System and the Service Provider Solution will be discovered which unless mitigated will present an unacceptable risk to the Authority’s information, including Data. 7.2 The severity of threat vulnerabilities for the Services shall be categorised by using an appropriate vulnerability scoring systems including: (a) the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇/▇▇▇▇.▇▇▇); and/or (b) Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively. 7.3 The Service Provider shall ensure the application of security patches to vulnerabilities in a timely and prioritised manner. 7.4 The Service Provider shall ensure all Service Provider COTS Software and Third Party COTS Software are upgraded within 6 months of the release of the latest version, such that it is no more than one major version level below the latest release (normally codified as running software no older than the ‘n-1 version’) throughout the Term. 7.5 The Service Provider shall: (a) implement a mechanism for receiving, analysing and acting upon threat information supplied by NCSC, or any other competent Central Government Body; (b) ensure that the Authority’s System, the Service Provider’s System and the Service Provider Solution (to the extent that the Authority’s System, the Service Provider’s System and the Service Provider Solution is within the control of the Service Provider) is monitored to facilitate the detection of anomalous behaviour that would be indicative of system compromise; (c) ensure it is knowledgeable about the latest trends in threat, vulnerability and exploitation that are relevant to the Authority’s System, the Service Provider’s System and the Service Provider Solution by actively monitoring the threat landscape during the Term; (d) pro-actively scan the Authority’s System, the Service Provider’s System and the Service Provider Solution (to the extent that the Authority’s System, the Service Provider’s System and the Service Provider Solution is within the control of the Service Provider) for vulnerable components and address discovered vulnerabilities through the processes described in the Security Pla...
View Source
VULNERABILITIES AND CORRECTIVE ACTION. The Customer and the Supplier acknowledge that from time to time vulnerabilities in the “THE SERVICEInformation System will be discovered which unless mitigated will present an unacceptable risk to the “THE SERVICE” Data.
View Source
VULNERABILITIES AND CORRECTIVE ACTION. 9.1 Contractors shall procure and implement security patches to vulnerabilities in accordance with Contractor’s internal patch management policy. 9.2 Contractor must ensure that all COTS Software be kept up to date such that all Contractor COTS Software are always in mainstream support.
View Source

Related to VULNERABILITIES AND CORRECTIVE ACTION

  • Corrective Actions The Government will use its best efforts to ensure that each Covered Provider (i) takes, where necessary, appropriate and timely corrective actions in response to audits, (ii) considers whether the results of the Covered Provider’s audit necessitates adjustment of the Government’s records, and (iii) permits independent auditors to have access to its records and financial statements as necessary.

  • Corrective Action Despite its right to terminate this Agreement pursuant to this Article, the LHIN may choose not to terminate this Agreement and may take whatever corrective action it considers necessary and appropriate, including suspending Funding for such period as the LHIN determines, to ensure the successful completion of the Services in accordance with the terms of this Agreement.

  • Mitigation and Corrective Action Business Associate shall mitigate, to the extent practicable, any harmful effect that is known to it of an impermissible use or disclosure of PHI, even if the impermissible use or disclosure does not constitute a Breach. Business Associate shall draft and carry out a plan of corrective action to address any incident of impermissible use or disclosure of PHI. If requested by Covered Entity, Business Associate shall make its mitigation and corrective action plans available to Covered Entity. Business Associate shall require a Subcontractor to agree to these same terms and conditions.

  • Corrective Action Plan Within fifteen (15) Business Days following the establishment of the Joint Remediation Committee, the Purchasers, in consultation with the Sellers, shall prepare and submit to the Joint Remediation Committee an initial draft of the Corrective Action Plan. The parties shall work in good faith through the Joint Remediation Committee to finalize the Corrective Action Plan within fifteen (15) Business Days of the Purchasers’ submission of the initial draft of the Correct Action Plan. At the end of such period, if the Sellers reasonably determine that the Corrective Action Plan proposed by the Purchasers (as may be modified over the course of such period) would not reasonably be expected to satisfactorily address the Major Default, then the Sellers may escalate the issue to the Head of Commercial Capital (or equivalent leader of any successor business unit) of the Seller Group and the Chief Executive Officer of the Bank Assets Purchaser (the “Senior Executives”) and the Senior Executives shall work collaboratively (including with the Joint Remediation Committee) to develop a mutually agreeable Corrective Action Plan within fifteen (15) Business Days.