Managed Vulnerability Service – On prem.
Services Description. Managed Vulnerability Service is an eSentire managed service which delivers vulnerability reports and vulnerability trending on a predetermined periodic basis, including the following capabilities (the “MVS On Prem”):
- Vulnerability Scanning. Vulnerability scanning delivers vulnerability reports and vulnerability trending on a predetermined periodic basis (for example, weekly for external scans and monthly for internal scans) to determine Client’s vulnerability posture and allow Client to guide network/system configuration and controls.
- Vulnerability Reporting. Various reports for external and internal findings are sent by eSentire to Client following each scan.
- Monthly Review. Client may request once per month a one (1) hour review of the findings of the scans with an eSentire Information Security Consultant.
- Ad-Hoc Vulnerability Scanning. Client may request up to four (4) remediation scans within one (1) calendar month and up to four (4) net new asset scans in one (1) calendar month.
- This engagement includes weekly external scanning and monthly internal scanning, the quantity of IP Addresses (including cloud-hosted and on-premise assets) set out in the applicable Order Form and which have been provided to eSentire by Client.
Sensors. eSentire may provide at least one physical or virtual security appliance (a “Sensor”) as specified on the applicable Order Form and to the extent required to provide to Client the MVS On Prem.
eSentire will configure and remotely manage the Sensor and its embedded software for all devices as part of the MVS On Prem. Client may only access the configuration of such Sensor with eSentire’s prior written authorization. eSentire shall only access the configuration of other network devices connected to the Sensor with Client’s authorization, and shall do so through an encrypted and secure means.
Client Responsibilities. Client is responsible for:
- Any and all data and systems which Client grants access to for receipt of the MVS On Prem;
- Obtaining all necessary licenses, permissions and consents to enable eSentire to access the Client’s network and servers in order to provide the MVS On Prem;
- Designating a Project Coordinator to work directly with and serve as the primary Client contact with eSentire for the duration of Client receiving the MVS On Prem;
- Providing eSentire a complete copy of its security (including privacy) policies, as available. Client is solely responsible for the creation, maintenance and enforcement of its security policies to protect the security of Client Data and Systems;
- Its choice of equipment, systems, software and online content;
- Providing the necessary resources, information, documentation and access to personnel, equipment, systems and scanning schedules, as reasonably required by eSentire, to allow eSentire to perform the MVS On Prem;
- Notifying eSentire of any change or contemplated change to its network in advance of Client effecting such change;
- Complying with all applicable local, state, provincial, federal and foreign laws in using the MVS On Prem and any provided tools used in conjunction with MVS On Prem including but not limited to the vulnerability scan-management and reporting platform portal;
- Advising eSentire of network and IP/endpoint range changes to scope. Please note that material changes to the IP/endpoint count including overages that are greater than a five percent (5%) increase to the contracted scope in any sustained manner greated that three (3) days may incur additional costs at the then-current contract rate and shall be calculated by eSentire and billed to Client minus any newly applicable volume discount;
In the event Client fails to perform its obligations in the time and manner specified or contemplated above, or should any assumption outlined herein with respect to the MVS On Prem Services fail to be valid or accurate, then eSentire will not be responsible for any related delay or damages. In the event that Client fails to notify eSentire of network changes as contemplated in above, then eSentire shall be released from any and all obligations to scan the Client’s network until Client has notified eSentire of such change.
Exclusions. The MVS On Prem excludes the following:
- The design, creation, maintenance and enforcement of a security policy for Client; and
- eSentire attempting to access Client’s servers without Client’s express written or verbal consent.