Back

Perform vulnerability testing before final installation.


CONTROL ID
00884
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A security vulnerability assessment should be performed prior to the system being used. (§ 3.7.31, Australian Government ICT Security Manual (ACSI 33))
  • (§ X, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • If network or application modifications are made to the production environment, additional scans may be required to ensure that new vulnerabilities are not introduced into the infrastructure. (¶ 3 Scanning Procedures, PCI DSS Security Scanning Procedures, Version 1.1)
  • § 3.2.6.1 (MED0130: CAT II) The Information Assurance Officer, for all networked medical devices, prior to their connection to the production medical device network, will ensure vulnerablity scans are performed. § 3.2.6.1 (MED0140: CAT II) The Information Assurance Officer, for all vulnerabilities… (§ 3.2.6.1 (MED0130: CAT II), § 3.2.6.1 (MED0140: CAT II), § 6.1.1 (MED0590: CAT II), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • (AC-3.2(C), SS-1.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • (§ 3.4.5.3 Figure 2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • (§ 5.2, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41, January 2002)