VULN-02

Will you provide results of application and system vulnerability scans to the institution?

Explanation

This question is asking whether your organization will share the results of vulnerability scans performed on your applications and systems with the institution (the customer or client). Vulnerability scans are automated tests that identify security weaknesses in software applications, operating systems, and network devices. These scans detect issues like missing security patches, insecure configurations, or known software flaws that could be exploited by attackers. Why it's being asked: 1. Transparency: The institution wants to understand the security posture of the systems they're entrusting with their data. 2. Risk assessment: They need to evaluate whether your security vulnerabilities could put their data at risk. 3. Compliance requirements: Many regulatory frameworks (like HIPAA, PCI DSS, etc.) require organizations to ensure their vendors maintain adequate security controls. 4. Due diligence: The institution needs to demonstrate they've performed proper security oversight of their vendors. How to best answer it: - Be honest about your vulnerability scanning practices and sharing policies - Explain what types of scan results you're willing to share (summary reports vs. detailed findings) - Describe any limitations or conditions on sharing (e.g., requiring NDAs, redacting certain information) - Mention the frequency of scans and reporting - If you don't share scan results, explain your alternative methods for providing security assurances

Example Responses

Example Response 1

Yes, we will provide vulnerability scan results to the institution We conduct monthly automated vulnerability scans using Qualys on all production systems and quarterly penetration tests using a third-party security firm Upon request and with an executed NDA, we can provide summary reports of these scans showing vulnerability counts by severity level, remediation timelines, and attestation of remediation completion For critical or high vulnerabilities that might affect the institution's data, we will proactively notify the institution within 48 hours of discovery and provide regular updates until remediation is complete We can also accommodate requests for more detailed reports on a case-by-case basis.

Example Response 2

Yes, we provide vulnerability scan results through our customer security portal Our security team conducts weekly automated vulnerability scans using Nessus and quarterly manual penetration tests Authorized institution representatives can access our security portal at any time to view current and historical scan results, including detailed findings, CVSS scores, remediation status, and timelines The portal also includes our vulnerability management policy, which commits to remediating critical vulnerabilities within 15 days, high within 30 days, medium within 60 days, and low within 90 days We can also schedule quarterly security review meetings to discuss scan findings and remediation efforts if desired.

Example Response 3

No, we do not provide direct access to our vulnerability scan results As a multi-tenant SaaS provider serving hundreds of customers, we maintain a strict policy of not sharing internal security testing documentation with individual clients to protect our overall security posture However, we understand the need for security assurance and instead provide SOC 2 Type II reports annually, which include independent auditor attestation of our vulnerability management practices We also maintain ISO 27001 certification and can provide the Statement of Applicability showing our vulnerability management controls For specific security concerns, our CISO office can arrange executive-level security briefings to discuss our security program in general terms without revealing specific vulnerabilities that could create risk if disclosed.

Context

Tab: Infrastructure
Category: Vulnerability Management