UCF ID: 02140 |
Control Type: Actionable Reports or measurements |
Status: Live |
Metric guidance
Calculation: The calculation for this metric is The date of vulnerability or weakness discovery + the date the vulnerability or weaknesses was corrected.
Calculation source: The authority document source of information is NIST 800-55, Critical Element 2.2. The following formula was used: the sum of the number of weaknesses closed in 30 days, 60 days, 90 days, 180 days, and 1 year divided by the total number of weaknesses closed in the last year for each business unit (or the organization as a whole) .
The Common Control IDs associated with this metric are as follows:
- • Prioritize and select safeguards based on the risk assessment findings. [UCF Control ID 00707]
• Establish and maintain a risk action plan based on the risk assessment findings. [UCF Control ID 00705]
Supporting and supported controls
This control directly supports:
- • Establish and maintain an incident management and vulnerability detection and response management metrics program. [UCF Control ID 02085]
There are no supporting controls.
Authority documents complied with:
Performance Measurement Guide for Information Security, NIST 800-55, Revision 1, App A Measure 16
NIST Guidance
The calculation for this metric should be stated as the # of vulnerabilities corrected / # of vulnerabilities identified during vulnerability scans. Use the total number of vulnerabilities discovered during the vulnerability scans for each business unit (or the organization as a whole) as the base number divided by the number of vulnerabilities that were corrected within the specified time period. [App A Measure 16, Performance Measurement Guide for Information Security, NIST 800-55, Revision 1]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.