196 Vulnerability ManageMent
Microsoft vulnerabilities within seven days of announcement. It is not
common for VM providers to supply such a restrictive SLA because
there is no way to determine how much time and effort will be required
to address a particular vulnerability that is reported at random with
unknown severity. It is, therefore, more practical to provide an SLA
committing to resolving a false positive within 30 days of reporting, or
accepting a trouble ticket at the service desk within 24 hours.
6.4.4.2 Capacity Management When managing capacity of the VM
system, there needs to be some continuous monitoring of the number
of IP addresses that are analyzed for vulnerabilities and the amount
of time required to perform that analysis. ...