Is a CR required when a Vulnerability scan is performed?

General discussion on all aspects of the IT Infrastructure Library (ITIL)
Post Reply
Posts: 1
Joined: Wed Oct 24, 2018 5:00 am

Wed Oct 24, 2018 5:16 am


My understanding is that a Vulnerability Assessment / scan will only try to login to the system but no major changes will be initiated.
Do we need to get a CR raised in operations if the security team is about to perform a VA check?

Many Thanks,

User avatar
Posts: 3
Joined: Sun Oct 21, 2018 1:19 pm

Thu Oct 25, 2018 8:33 am

My rule of thumb is that a CR should happen anytime that you are trying to minimize disruptions to IT or business operations. If the VA could cause a disruption either through process or communication then I definitely would do it. It helps to standardize the procedure and get people thinking about it.

User avatar
ITIL Expert
ITIL Expert
Posts: 3639
Joined: Fri Sep 15, 2006 8:00 pm
Location: London, UK

Fri Oct 26, 2018 4:37 am

I disagree with the previous post - but not to a high degree

I agree that there may be business impact to the business, customers and users.. Therefore, there has to be a means to 'announce' that.
1 - If the scan is done dutring a defined maintenance window - then the impact is lessened to a degree as the customers and users know that this period is one of potential impact.
2 - The scope of the vulnerability also will define that

However, while we want to tell the customer and track this a change request may not be the best method - however, it may be the onlymethod until the change manager and the tool people come up with something else

What we have is a Release Review meeting where upcomng BAU, softwrae releases, and infrastructure maintenance are discussed before they come to the CAB. It ems like like are merely FYI to the CB and are handled in the RRM
John Hardesty
ITSM Manager's Certificate (Red Badge)

Change Management is POWER & CONTROL. /....evil laughter
Post Reply