Service Summary
Threat and Vulnerability Management
Service includes tools, training, and guidance for institutions requesting aid in identifying, classifying, assessing, mitigating, and remediating security threats and weaknesses.
Scope
System Computing Services will:
- Implement and operate threat and vulnerability scanning in the client’s environment
- Create and administer accounts for any designated institution staff
- Create and distribute scheduled reports including:
- Systems vulnerable to threats classified as critical or high
- Systems not in compliance for patches and/or updates for 90 days
- If reporting shows non-compliance SCS will:
- Give notice of non-compliance with recommendation that system(s) must be patched within 30 days
- If the system(s) is not patched in the time stipulated, SCS will notify the institution and offer guidance and/or assistance to bring system(s) into compliance
- If unable to patch/update, SCS will request the institution submit and implement a plan of compensating controls for protection of such system(s)
- Share regular threat intelligence reports and notifications of critical vulnerabilities from reputable organizations such as MS-ISAC (Multi-State Information Sharing & Analysis Center) and REN-ISAC (Research & Education Networks Information Sharing & Analysis Center)
- Perform ad-hoc and post-remediation vulnerability scanning upon request
- Set up a SIEM (Security Incident and Event Management) dashboard to provide statistics and reports upon request
- Assist with onboarding of data to be used by the SIEM
- Set up SIEM alerts for events and potential incidents upon request
- Provide security advice, guidance, and training upon request
- Conduct incident response upon request (subject to staff availability and expertise)
Client Responsibilities
- Patch and remediate critical and high severity threats and vulnerabilities identified by reporting
- Adhere to current industry standards for patch management, updates, and upgrades
- Respond to SCS requests for essential service information, including authorized points of contact