Vulnerability Management Solution

The Vendor is required to provide for implementing a vulnerability management solution (“VMS”).
- The primary goal of the VMS is to reduce the overall risk to UBC’s information technology infrastructure by addressing potential weaknesses that could be exploited by malicious actors.
- Vulnerabilities can include software bugs, misconfigurations, security holes, and other weaknesses that may be targeted by attackers.
- The VMS helps to identify, evaluate, and prioritize actionable security vulnerabilities in agency servers. Once identified, the VMS provides detailed guidance on how to fix security vulnerabilities.
- It also validates their work by providing feedback to IT Administrators confirming they have successfully fixed their vulnerabilities.
- Various vulnerability workflows like reporting false positives and mitigations are also a major feature of the service.
- The intent is to explore information on broader exposure management approaches that provide increased visibility across assets, attack surfaces, identities, and configurations.
- Provide greater context into how vulnerabilities, misconfigurations, and external threat factors may intersect, and will be used to inform future considerations related to more proactive, risk based decision making and improvements to overall security posture.
- Provide high level information regarding the provision of a Vulnerability Management Solution (VMS) and related services addressing the following areas:
•    Vendor Interest and Capability
•    Market Offering Overview
•    Functional Capabilities
•    Non-Functional Capabilities
•    Support and Service Model
•    Commercial Information (High Level)
•    Industry Feedback and Recommendations
•    Additional Comments
- Functional Requirements:
•    Asset Discovery and Inventory: Inventory of assets, multiple asset types, identify end of life operating systems and software, allow tagging by business unit;
•    Vulnerability Detection: Detect vulnerabilities using industry-recognized standards, provide validation or evidence for detected vulnerabilities to reduce false positives, support detection of zero-day or emerging threats where intelligence is available;
•    Risk Assessment and Prioritization: Provide CVSS-based severity scoring, support riskbased prioritization beyond CVSS, allow organization to customize weight risk scoring models, clearly distinguish between critical, high, medium, and low-risk vulnerabilities;
•    Remediation and Workflow Management: Integrate with ITSM tools (ex, ServiceNow), support exception workflow, provide remediation guidance tailored to application type, track remediation status and SLA performance;
•    Reporting and Dashboards: Provide role-based, customizable and scheduled email reports, support compliance-oriented reporting; reports should be exportable in common formats (PDF, CSV, etc.); and
•    Integrations and APIs: Integrate with EDR, identity and access management systems, support automation via APIs.