Vulnerability Assessment and Configuration Audit

• Vulnerability Assessment and Configuration Audit Scope

• Perform scheduled and on-demand VA & CA scans across servers, endpoints, databases, applications, and network devices

. • Identify all configuration items (CIs), maintain updated inventory, and document configuration baselines and version histories.

• Conduct authenticated and unauthenticated scans using approved tools. Analyse results, validate findings, and eliminate false positives and reporting to respective stakeholders

• Prioritize vulnerabilities based on CVSS score, asset criticality, exploitability, and threat intelligence. Coordinate with application/infra teams for remediation. Track patching and configuration changes under SLAs.

• Provide weekly/monthly reports, dashboards, and trends. Highlight SLA breaches, open vulnerabilities, and risk areas.

• Support internal, external, and regulatory audits (RBI, CERT-In, PCI-DSS, ISO 27001) by providing evidence, gap remediation, and required documentation.

• Contribute to policy enforcement and ensure adherence to security standards and mandates.

• Keep VA/CA solutions updated (minimum N-1 version), stay current with latest tool versions, migration, definitions, and notify Bank VA Manager of new features.

• Provide remote/off-hours/holiday support as needed. Ensure availability of backup resource and promptly raise tool/vendor issues when required

• Backup analyst must be available during unavailability of primary resource to ensure business continuity • Perform Configuration Audit as per the scope defined by SPOC.

• Raise case with Tenable whenever required. Coordination with Tenable support for technical issue. • Creation of SOP for Tenable SC 12 Onsite (Mumbai) Administration following Deliverable (Remote Support) • SCD's preparation/Creation for operating systems, Network Devices, Load balancer, Middleware, firewalls, AD, WAF, NAC, Proxy, DAM and others

• Admin Level support for the tool

• Vulnerabilities and the risk matrix based on exploitability and impact

• Support for KRI submissions on quarterly or monthly basis

• Interaction with various stakeholders for patching, authentication