Vulnerability and Patch Management
The Vulnerability Management Program performs vulnerability scans on network,
applications, and operating system layers and follows industry best practices. This program
includes third-party vulnerability scanning and penetration testing. Results of
vulnerability scans are not shared with customers as they do not participate in the
vulnerability management program of the service. Because the results are not shared, it
ensures confidentiality, integrity, and availability of the hosted VMware services.
Vulnerability scans are reviewed during the annual audit and assessment program.
VMware analyzes the severity and impact of potential vulnerabilities, and upgrades all
network, utility, and security equipment. VMware subscribes to vendor security and
bug-tracking notification services. Remediation efforts are prioritized and applied
against critical and high-risk issues. Critical patches are installed on time and
non-critical patches are included in the pre-defined patch schedule and applied within
reasonable timeframes. Changes are made according to industry best practices.
The QA department completes patch testing
and rollback procedures and ensures compatibility with and minimal impact to the
production environment. Third-party auditors perform reviews of the vulnerability and
patch management process according to industry standards, including ISO 27001. VMware
furnishes audit reports under an NDA.