Critical Patch and Vulnerability Management These questions are designed to ensure your service provider maintains patch and vulnerability management for themselves and for customers. 1. Do you have a documented vulnerability management program? 2. Do you conduct regular vulnerability assessments of your systems and how often? 3. What is the remediation time expected for vulnerabilities identi昀椀ed in your environment? a. Critical b. High 4. Systems patching against critical vulnerability: a. Please describe your device 昀椀rmware and software updating process. b. How often are patches applied and how are patches selected and vetted? c. What is the normal security patch schedule for desktops and servers used to support clients’ services and store clients’ information? d. What kind of maintenance notices are provided when downtime may be required? e. Do you require system restart as needed (post patch application)? f. Do you do post patch validation and smoke testing to ensure functionality and patch application was successful? Questions To Ask Your MSP | 13