Vulnerability Reporting Policy

Vulnerability Assessments, at Support Nerds Inc., are necessary to manage the increasing number of threats, risks, and responsibilities.

Vulnerabilities are not only internal and external but there are also additional responsibilities and costs associated with ensuring compliance with laws and rules while retaining business continuity and safety of Support Ners Inc. and member data.

The purpose of this policy is to establish standards for periodic vulnerability assessments. This policy reflects Support Nerds Inc.’s commitment to identify and implement security controls, which will keep risks to information system resources at reasonable and appropriate levels.

This policy covers all computer and communication devices owned or operated by Support Nerds Inc. This policy also covers any computer and communications device that is present on Support Nerds Inc. premises, but which may not be owned or operated by Support Nerds Inc. Denial of Service testing or activities will not be performed.

The operating system or environment for all information system resources must undergo a regular vulnerability assessment. This standard will empower the IT Department to perform periodic security risk assessments for determining the area of vulnerabilities and to initiate appropriate remediation. All employees are expected to cooperate fully with any risk assessment.

Vulnerabilities to the operating system or environment for information system resources must be identified and corrected to minimize the risks associated with them.

Audits may be conducted to:

• Ensure integrity, confidentiality, and availability of information and resources
• Investigate possible security incidents and to ensure conformance to Support Nerds Inc.’s security policies
• Monitor user or system activity where appropriate

To ensure these vulnerabilities are adequately addressed, the operating system or environment for all information system resources must undergo an authenticated vulnerability assessment.

The frequency of these vulnerability assessments will be dependent on the operating system or environment, the information system resource classification, and the data classification of the data associated with the information system resource.

Retesting will be performed to ensure the vulnerabilities have been corrected. An authenticated scan will be performed by either a Third-Party vendor or using an in-house product.

All data collected and/or used as part of the Vulnerability Assessment Process and related procedures will be formally documented and securely maintained.

IT leadership will make vulnerability scan reports and on-going correction or mitigation progress to senior management for consideration and reporting to the Board of Directors.