Service includes tools, training, and guidance for institutions requesting aid in identifying, classifying, assessing, mitigating, and remediating security threats and weaknesses.

Scope

System Computing Services will:

  • Implement and operate threat and vulnerability scanning in the client’s environment
  • Create and administer accounts for any designated institution staff
  • Create and distribute scheduled reports including:
    • Systems vulnerable to threats classified as critical or high
    • Systems not in compliance for patches and/or updates for 90 days
  • If reporting shows non-compliance SCS will:
    • Give notice of non-compliance with recommendation that system(s) must be patched within 30 days
    • If the system(s) is not patched in the time stipulated, SCS will notify the institution and offer guidance and/or assistance to bring system(s) into compliance
    • If unable to patch/update, SCS will request the institution submit and implement a plan of compensating controls for protection of such system(s)
  • Share regular threat intelligence reports and notifications of critical vulnerabilities from reputable organizations such as MS-ISAC (Multi-State Information Sharing & Analysis Center) and REN-ISAC (Research & Education Networks Information Sharing & Analysis Center)
  • Perform ad-hoc and post-remediation vulnerability scanning upon request
  • Set up a SIEM (Security Incident and Event Management) dashboard to provide statistics and reports upon request
  • Assist with onboarding of data to be used by the SIEM
  • Set up SIEM alerts for events and potential incidents upon request
  • Provide security advice, guidance, and training upon request
  • Conduct incident response upon request (subject to staff availability and expertise)

Client Responsibilities

  • Patch and remediate critical and high severity threats and vulnerabilities identified by reporting
  • Adhere to current industry standards for patch management, updates, and upgrades
  • Respond to SCS requests for essential service information, including authorized points of contact