Hi,
My understanding is that a Vulnerability Assessment / scan will only try to login to the system but no major changes will be initiated.
Do we need to get a CR raised in operations if the security team is about to perform a VA check?
Many Thanks,
I
Is a CR required when a Vulnerability scan is performed?
My rule of thumb is that a CR should happen anytime that you are trying to minimize disruptions to IT or business operations. If the VA could cause a disruption either through process or communication then I definitely would do it. It helps to standardize the procedure and get people thinking about it.
Cheers
Cheers
I disagree with the previous post - but not to a high degree
I agree that there may be business impact to the business, customers and users.. Therefore, there has to be a means to 'announce' that.
1 - If the scan is done dutring a defined maintenance window - then the impact is lessened to a degree as the customers and users know that this period is one of potential impact.
2 - The scope of the vulnerability also will define that
However, while we want to tell the customer and track this a change request may not be the best method - however, it may be the onlymethod until the change manager and the tool people come up with something else
What we have is a Release Review meeting where upcomng BAU, softwrae releases, and infrastructure maintenance are discussed before they come to the CAB. It ems like like are merely FYI to the CB and are handled in the RRM
I agree that there may be business impact to the business, customers and users.. Therefore, there has to be a means to 'announce' that.
1 - If the scan is done dutring a defined maintenance window - then the impact is lessened to a degree as the customers and users know that this period is one of potential impact.
2 - The scope of the vulnerability also will define that
However, while we want to tell the customer and track this a change request may not be the best method - however, it may be the onlymethod until the change manager and the tool people come up with something else
What we have is a Release Review meeting where upcomng BAU, softwrae releases, and infrastructure maintenance are discussed before they come to the CAB. It ems like like are merely FYI to the CB and are handled in the RRM
John Hardesty
ITSM Manager's Certificate (Red Badge)
Change Management is POWER & CONTROL. /....evil laughter
ITSM Manager's Certificate (Red Badge)
Change Management is POWER & CONTROL. /....evil laughter