Is a CR required when a Vulnerability scan is performed?

[icmicke]

Hi,

My understanding is that a Vulnerability Assessment / scan will only try to login to the system but no major changes will be initiated.
Do we need to get a CR raised in operations if the security team is about to perform a VA check?

Many Thanks,
I

[itguy27]

My rule of thumb is that a CR should happen anytime that you are trying to minimize disruptions to IT or business operations. If the VA could cause a disruption either through process or communication then I definitely would do it. It helps to standardize the procedure and get people thinking about it.

Cheers

[UKVIKING]

I disagree with the previous post - but not to a high degree

I agree that there may be business impact to the business, customers and users.. Therefore, there has to be a means to 'announce' that.
1 - If the scan is done dutring a defined maintenance window - then the impact is lessened to a degree as the customers and users know that this period is one of potential impact.
2 - The scope of the vulnerability also will define that

However, while we want to tell the customer and track this a change request may not be the best method - however, it may be the onlymethod until the change manager and the tool people come up with something else

What we have is a Release Review meeting where upcomng BAU, softwrae releases, and infrastructure maintenance are discussed before they come to the CAB. It ems like like are merely FYI to the CB and are handled in the RRM