Service Summary
Threat and Vulnerability Management

Scope

System Computing Services will:

• Implement and operate threat and vulnerability scanning in the client’s environment
• Create and administer accounts for any designated institution staff
• Create and distribute scheduled reports including:
  • Systems vulnerable to threats classified as critical or high
  • Systems not in compliance for patches and/or updates for 90 days
• If reporting shows non-compliance SCS will:
  • Give notice of non-compliance with recommendation that system(s) must be patched within 30 days
  • If the system(s) is not patched in the time stipulated, SCS will notify the institution and offer guidance and/or assistance to bring system(s) into compliance
  • If unable to patch/update, SCS will request the institution submit and implement a plan of compensating controls for protection of such system(s)
• Share regular threat intelligence reports and notifications of critical vulnerabilities from reputable organizations such as MS-ISAC (Multi-State Information Sharing & Analysis Center) and REN-ISAC (Research & Education Networks Information Sharing & Analysis Center)
• Perform ad-hoc and post-remediation vulnerability scanning upon request
• Set up a SIEM (Security Incident and Event Management) dashboard to provide statistics and reports upon request
• Assist with onboarding of data to be used by the SIEM
• Set up SIEM alerts for events and potential incidents upon request
• Provide security advice, guidance, and training upon request
• Conduct incident response upon request (subject to staff availability and expertise)

Client Responsibilities

• Patch and remediate critical and high severity threats and vulnerabilities identified by reporting
• Adhere to current industry standards for patch management, updates, and upgrades
• Respond to SCS requests for essential service information, including authorized points of contact