Critical security patches are applied within 30 days from testing and all security patches are applied within 90 days after testing.</p>17.6 Intrusion Detection and Vulnerability Scanning<ol> <li> <p>Production systems are monitored using IDS systems. Suspicious activity is logged, and alerts are generated.</p> </li> <li> <p>Vulnerability scanning of Production Systems must occur on a predetermined, regular basis, no less than annually.