What is the process for vulnerability management?
Qualys Cloud Agent and Amazon Inspector are installed on all EC2 VM instances. Vulnerability scans are continuous via Qualys Cloud Agent. These scans are formally reviewed at least weekly by the Information Security team and include web application scanning in combination with OS level scans. The Qualys Cloud Agent solution is implemented across the Orgvue organization, including the Orgvue AWS, corporate server and workstation environments, providing near real-time vulnerability information.
Container vulnerability management is implemented on build via JFrog Xray. AWS ECR image scanning runs daily, providing static scanning for container images.
In what timeline are security update and patches applied?
Operating System security updates are applied within two weeks of vendor release and applied consistently throughout the Orgvue server environment through an automated build process.
Are penetration tests completed for Orgvue?
Orgvue completes at least annual web application penetration testing for Orgvue using independent CREST accredited resources. The executive summary reports of these tests are available to customers on request