Vulnerability management service Clause Samples

Vulnerability management service. 6.6.1.1 Scope 1721 The vulnerability management service shall cover the entire IT service portfolio for the FWC. 1722 The following tasks shall be performed in the scope of this service: 1723  Vulnerability monitoring (proactive security monitoring) 1724 o Continuous monitoring of different security sources of vulnerability information to 1725 identify new published software vulnerabilities. Also, active monitoring of new 1726 information5 related to older vulnerabilities which are still open (=not yet 1727 remediated). 1728 o Regular (at least quarterly) vulnerability checks, e.g. by performing vulnerability 1729 and network scans, for all the systems belong to IT service portfolio, including 1730 managed networks. Missing security patches, misconfiguration and obsolete 1731 technologies shall belong to the scope of the checks. 1732  Vulnerability analysis. All the vulnerabilities shall be analysed without delay. ECHA 1733 specific criticality and urgency of the remediation actions shall be assessed by 1734 contextualising the vulnerability in ECHA environment and by taking into account (other) 1735 security measures and compensating factors in place. The criticality and urgency 1736 assessment shall be updated if further information is disclosed 1737  A proposal for remediation actions (e.g. remediated as a part of the standard regular 1738 patching or by initiating an emergency patching, a configuration change as a standard or 1739 emergency change etc.) shall be prepared and clearly communicated to ECHA. In case 5 for example if an exploit to abuse the vulnerability is published or if there is a new malware widely spreading via this hole 1740 that a primary remediation action is not yet available or cannot be applied to a critical 1741 vulnerability (e.g. if a patch is not yet available), possible temporary mitigation actions 1742 shall be assessed and proposed 1743  Follow-up and metrics. The Contractor shall follow up the remediation actions and 1744 maintain a list of the open vulnerabilities. The Contractor shall adopt metrics on 1745 vulnerability management (e.g. number of open vulnerabilities or mitigation time for the 1746 critical vulnerabilities). Whenever the metrics reveal systematic issues, a root cause 1747 assessment shall be carried out according to the model for Problem Management defined 1748 in ITIL. 1749 6.6.1.2 Objectives 1750 The main objective of the service is to detect and remediate vulnerabilities that exist in the 1751 se...