...
Vulnerability identification includes scanning all critical systems and a representative cluster member weekly. Two types of scans are utilized: perimeter scans and authenticated scans. Perimeter scans probe the services (from non-NCSA IP addresses when possible, local appliances when not) without logging in. Authenticated scans are performed from local appliances that authenticate to the systems using restricted non-root privileged accounts that query the system for information such as kernel and installed packages versions. A continuously updated vulnerability analysis tool uses this information to generate reports for consumption by both systems administrators and security team members.
...
Urgent patches could be from a critical (See Understanding Severities in the SECURITY JIRA Queue) security vulnerability that cannot be mitigated or for something that destabilizes the system or a subcomponent. After the update a full vulnerability scan is run for confirmation.
When possible these are done in a rolling update to avoid complete system outages, but it can require and entire unplanned outage. In these cases customers are promptly notified of the plan, and the outage will be posted on the NCSA service status page unless further discretion is required by the customer.
...