Vulnerability Management and Patching Sample Clauses

Vulnerability Management and Patching. At least annually, Contractor shall perform at Contractor’s expense vulnerability tests and risk assessments of all systems that contain City Data. For Contractor’s internet perimeter network, and any of Contractor’s applications that process City Data, such testing must also include (i) penetration tests, including by use of intercept proxies to identify security vulnerabilities that cannot be discovered using automated tools, and (ii) code review or other manual verification. All tests must be performed by Contractor’s compliance team using industry recommended network security tools to identify vulnerability information. Upon written request from City, Contractor shall provide to City a Vulnerability Testing & Risk Assessment Report at the organization level including an executive summary of the results.

Vulnerability Management and Patching i) Vendor shall adhere to applicable standards governing the patch management criticality rankings and patching time frame requirements for all systems and applications including, but not limitedto, switches, routers, appliances, servers, workstation PC’s, commercial software, and open source software. ii) Vendor shall conduct comprehensive scans for known vulnerabilities on all externallyfacing systems no less than one time per month. iii) Vendor shall conduct comprehensive scans for known vulnerabilities on the entire network no less than once per quarter. iv) All critical and high vulnerabilities must be remediated within fifteen (15) days of release unless application requirements preclude such patching. Should such preclusion exist, mitigating controls offering the same level of protection must be implemented within the aforementioned time frame. v) Vendor shall ensure that all urgent, critical, and high patches are implemented in a timelymanner. Urgent and critical patches must be implemented within thirty (30) days of release unless application requirements preclude such patching. Should such preclusion exist, mitigatingcontrols offeringthe same level of protection must be implemented within the aforementioned time frame.

Vulnerability Management and Patching. 6.1. The Contractor shall conduct comprehensive scans for known vulnerabilities on all externally-facing systems not less than annually and should have a process in place for remediating identified vulnerabilities that is in accordance with Industry Standards. 6.2. The Contractor must report to the Studio all security related incidents or issues that may affect the Services and/or any the Studio’s data as soon as possible upon discovery and recommend possible remedial actions. Notwithstanding anything else in the Agreement, the Studio shall be entitled to disclose details relating to any such incident to regulatory bodies (and/or other third parties) for the purposes of reporting, understanding, mitigating against the implications of, and preventing any recurrence of, the incident.