Common use of Vulnerability and Patch Management Clause in Contracts

Vulnerability and Patch Management. (a) The Distributor monitors and supervises the development of all software that is used to process the Confidential Information of the Trust and conducts an independent security review of its environment. The Distributor reviews and tests custom code that is used to process such Confidential Information to identify potential coding vulnerabilities in accordance with industry standard security practices. All documentation of such assessments and remediation actions taken are confidential and proprietary and not disclosed externally. (b) Applications that are used to process the Confidential Information of the Trust are periodically scanned to detect vulnerabilities in static code or open source components and penetration tests are performed regularly (e.g., prior to releases, and at regular intervals if there are no releases). The Distributor employs a comprehensive software security assurance program (“SSAP”) that includes architectural risk reviews, secure code reviews, threat-based penetration testing, dynamic scanning in the quality assurance phase for all applications that process the Confidential Information of the Trust and a periodic security evaluation of all externally facing applications. (c) Patch management and vulnerability remediation across the Distributor’s applications and infrastructure are based on an internal prioritized scoring model which uses the Common Vulnerability Scoring System (CVSS), information from internal vulnerability assessments, and internally provided risk/severity ratings of the underlying assets and applications. The scoring model is designed to decrease risk exposure in critical areas by prioritizing remediation based on the Distributor’s environment. (d) If the Distributor identifies a weakness or vulnerability that could have a direct, material adverse impact on the Distributor’s ability to (i) perform its obligations under this Agreement, (ii) comply with applicable laws in connection with this Agreement, or (iii) meet the Distributor’s business continuity capabilities in connection with this Agreement (each a “Deficiency”), the Distributor shall, within a commercially reasonable time, provide high-level information about the potential impact of that Deficiency and its remediation plan. The Trust acknowledges that any Deficiency shall be remediated and verified by the Distributor’s own internal audit group that is independent from the division performing the obligations under this Agreement.