Security Vulnerability Management. Company shall maintain a vulnerability management program aiming to identify and remediate security vulnerabilities within computing systems. This includes regular testing and a record of system remediation. Toolsets used to identify vulnerabilities are maintained with up-to-date vulnerability signatures. Results of vulnerability testing are utilized to craft an annual penetration test of systems and networks perceived as high risk, high value, or demonstrating a need for further scrutiny. All newly deployed systems or systems that have experienced a high level of change will be scanned for vulnerabilities prior to production. Highly orchestrated environments with appropriate change control may be exempt from pre- deployment scanning.
Security Vulnerability Management. The Customer must ensure that all Customer Systems that store, transmit, or process Customer Data and Comtrac Data undergo vulnerability scans on a regular basis (at least once a month); and Immediately after any system change. If a vulnerability scan performed by the Customer reveals any vulnerabilities, the Customer must immediately take all steps to remediate such vulnerabilities and report to Comtrac, detailing the vulnerabilities and their remediation action taken as soon as practicable. Protection from Malware In the event that the Customer uses Customer software to access the Comtrac Services, the Customer must ensure no backdoor, time bomb, trojan horse or other computer software enables access to a third person not authorised by Comtrac. The Customer must use all reasonable endeavours to ensure that the Comtrac Services are not compromised by malware. The Customer must use anti-malware controls to help avoid malicious software gaining unauthorised access to Customer Data and Comtrac Data including malicious software originating from public networks. Denial of Service Protection The Customer must ensure that all Customer Systems and devices used to access and use the Comtrac Services are protected from Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks with appropriate technologies and solutions. Penetration Testing The Customer must engage an independent third party to perform (at its own expense) and as least once every 12 (twelve) months, penetration testing and ethical hacking activities on the Customer Systems (and solutions and software if applicable) used to access and use the Comtrac Services. Where the results of the penetration testing negatively and materially impact the Comtrac Services, the Customer shall notify Comtrac as soon as reasonably possible, making the relevant results of the testing available to Comtrac. The Customer and Comtrac shall agree on a plan to rectify the vulnerabilities with immediate effect, prioritised by criticality. Back-ups The Customer must document and implement a backup policy which takes daily copies of Customer Data and Customer Systems used in the acquisition and use of the Comtrac Services, including for system administration; Patching; and Change management to ensure that the Customer is able to determine the Customer database restore point for database rollback purposes. The following daily backups must be retained for at least three months: New and material changes; and Softwar...
Security Vulnerability Management. Scitara will operate a vulnerability management programme and capabilities that routinely identifies security risks, vulnerabilities, and issues with infrastructure, applications, systems, and processes used to support, store, process, and track the Software Services, Customer Data, and Usage Data. Further, Scitara shall remediate security risks, vulnerabilities, and issues within the terms set forth in B.11.1, B.11.2, and B.11.3. (B.11.1) If Scitara becomes aware of security risks, vulnerabilities, and issues, Scitara shall remediate the risks, vulnerabilities, and issues identified within the timeframes prescribed in B.11.2. (B.11.2) At a minimum, security risks, vulnerabilities, and issues must be remediated within the following schedule, with risk severity being determined by CVSS scoring, and Customer shall have the right to verify that remediation has taken place and is effective:
