Vulnerability identification

Status: Live

The organization will maintain a process to identify newly discovered security vulnerabilities and update the protection framework to address them. [UCF ID 00700]

Supporting and supported controls

This control directly supports:

Risk Identification [UCF Control ID 00698]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 12, Exam Tier I Obj 1.4, Exam Tier I Obj 6.9, Exam Tier II Obj M.22; FFIEC IT Examination Handbook – Management, Exam Obj 5.2; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 6.2.b; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 1-5.a(1), § 5-3.c; Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27, § 27.230(a)(14); FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security, § 3.3; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.3 Process; The Standard of Good Practice for Information Security, SM2.2.4(d), SM3.4.4(d), SM3.4.4(e), CB5.3.3(c), CB5.3.3(d), CI5.4.4(c), CI5.4.4(d), NW4.4.4(c), NW4.4.4(d), SD3.5.4(c), SD3.5.4(d); Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition, Ch 5.4.3.1; ISO 17799:2005 Code of Practice for Information Security Management, § 6.2.1; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.1(d); ISO/IEC 27002-2005 Code of practice for information security management, § 6.2.1; Australian Government ICT Security Manual (ACSI 33), § 3.5.14, § 3.7.29; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 6.2(b); Archer Control Table, ATCS-845; Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 7.1

Banking and Finance Guidance

The organization should assess the potential vulnerabilities to the systems. The risk assessment should consider the risk to the organization for the time the vulnerability exists, even if it is just a short time. [Pg 12, Exam Tier I Obj 1.4, Exam Tier I Obj 6.9, Exam Tier II Obj M.22, FFIEC IT Examination Handbook – Information Security]

[Exam Obj 5.2, FFIEC IT Examination Handbook – Management]

Payment Card Guidance

The organization must develop procedures for identifying newly discovered vulnerabilities, such as subscribing to alert services.
Verify a process has been implemented to continuously identify new vulnerabilities to the system, including from resources outside the organization.
Interview security personnel to ensure new vulnerabilities are identified. [§ 6.2.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must develop procedures for identifying newly discovered vulnerabilities, such as subscribing to alert services. [§ 6.2(b), Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

Procedures should be in place to identify new security vulnerabilities via security information sources, such as security alert services, that can be subscribed to free over the Internet. These procedures should be applied to all software that comes with the payment application. [§ 7.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

US Federal Security Guidance

The measures implemented to meet the system objectives should be commensurate with the relative vulnerabilities to the system. Vulnerabilities should be identified for each specific threat. Factors to consider when identifying the vulnerabilities include geographic location, data classification, operational criticality, and the sensitivity of the data. Vulnerabilities identified and not corrected should be identified in future risk assessments. [§ 1-5.a(1), § 5-3.c, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The facility must address all the specific risks for its location that are identified by the Assistant Secretary. [§ 27.230(a)(14), Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security, 6 CFR Part 27]

[§ 3.3, FIPS 191, Guideline for the Analysis of Local Area Network (LAN) Security]

NIST Guidance

A vulnerability analysis, a safeguard analysis, a likelihood assessment, threat identification, and a consequence assessment are all called for. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

Before granting access to a third party, risks should be identified and controls should be implemented. The identification of vulnerabilities should take into account the following: The type of access and what information the third party is accessing; the value of the information; the controls used by the third party; procedures to deal with security incidents; measures being used to identify third party personnel who have access; and legal requirements. [§ 6.2.1, ISO 17799:2005 Code of Practice for Information Security Management]

All vulnerabilities to the system that could be exploited by a threat should be identified. [§ 4.2.1(d), ISO 27001:2005, Information Security Management Systems - Requirements]

Before granting access to a third party, risks should be identified and controls should be implemented. The identification of vulnerabilities should take into account the following: The type of access and what information the third party is accessing; the value of the information; the controls used by the third party; procedures to deal with security incidents; measures being used to identify third party personnel who have access; and legal requirements. [§ 6.2.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

It is recommended that, as part of a risk assessment, all threats to critical business processes be identified. This can be done by reviewing the BIA. [Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

Risk analyses should determine the vulnerabilities to confidentiality, integrity, and availability of systems, networks, and information as well as for systems under development. The information security function should monitor all new and emerging vulnerabilities that could affect the organization. [SM2.2.4(d), SM3.4.4(d), SM3.4.4(e), CB5.3.3(c), CB5.3.3(d), CI5.4.4(c), CI5.4.4(d), NW4.4.4(c), NW4.4.4(d), SD3.5.4(c), SD3.5.4(d), The Standard of Good Practice for Information Security]

[Ch 5.4.3.1, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition]

Asia and Pacific Rim Guidance

Relevant sources should be continuously monitored for security alerts about new vulnerabilities that could affect the organization's systems. [§ 3.5.14, § 3.7.29, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of systems with critical information assets or functions that have been assessed for vulnerabilities in accordance with policy [UCF Control ID 02128]