Vulnerability Management

 Vulnerability Management includes the provision of both regularly scheduled automated vulnerability scans of systems handling sensitive County Data (ie. electronic Protected Health Information and Cad Holder Data) and ad-hoc scan reports as requested.

• What are the features provided by this service?
  •  Provision of vulnerability scans on workstations, servers, network equipment, and appliances.
  • Provision of scans for systems in scope of compliance requirements.
  • Provision of scans for systems not in scope of compliance requirements.
  • Response to, and mitigation of, identified vulnerabilities found on systems fully administered by County ITS.
  • Recommendation of mitigation steps to be taken for systems managed by third party providers.
  • Ongoing monitoring of the vulnerability and risk position of scanned systems.
• How do I request or access this service?
  • Contact the ITS Service Desk by calling 901-222-2700 or by sending an email to Service.Desk@shelbycountytn.gov
• What are the requirements/pre-requisites for this service?
  • For systems requiring only scanning and reporting (administered by the entity):
    •     Provision of the system listing
    •     Responsible entity personnel identified
    •     Funding of the scanning license purchase
  • ITS management of the systems requiring management:
    •     Provision of the system listing
    •     Responsible entity personnel identified
    •     Funding of the scanning license purchase
    •     Potential for additional expense based upon the time, effort, and material or software required to eliminate the vulnerability.
    •     Support with any third party vendors who may also support the system.
• What is the turn around time for service delivery?
  • This is dependent upon the specific requirements and complexity of the request.
• What are the responsibilities of customer?
  •  In the event that an entitiy maintains some of their own systems, or has administrative control of systems managed by ITS, ITS requires the business requirements document including the scope of the vulnerability management  and on which systems it is expected.
  • Designated department contact and project management resource.
  • Entity response support if available.
  • Participation in the vulnerability management process and good faith efforts to resolve identified issues.
• When is this service available?
  • Available for all PCI DSS in scope systems. Soon to be available for all HIPAA in scope systems. Available for all systems identified by the entity as requiring vulnerability management and for which licenses are purchased by the entity.
• What is the usual response time for this service?
  • Dependent upon the nature of the request.
• How do I get help with this service?
  • Contact the ITS Service Desk by calling 901-222-2700 or by sending an email to Service.Desk@shelbycountytn.gov
• Who is the support owner for this service?
  • N/A.
• What are the support hours for this service?
  • 8:00am-4:30pm, Monday-Friday
• What is the cost for this service?
  • Costs may be incurred based upon the scope of the implementation and any additonal software required
• Does this service require cost approval?
  • Depending on the amount, approvals could be required by either department administration or the IT Steering Committee.
• What is the cost approval process?
  • Handled by IT Steering Committee and Department Heads.