Back

Recommend mitigation techniques based on penetration test results.


CONTROL ID
04881
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • any recommended remediation actions. (Security Control: 1563; Revision: 0; Bullet 5, Australian Government Information Security Manual, March 2021)
  • The cloud provider has penetration tests performed by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to documented test methods and include the infrastructure components defined to be critical to the secure operation o… (Section 5.6 RB-18 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Is there a timetable for acting on the penetration testing results? (Table Row X.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The results of the testing program are used by the organization to support ongoing improvement of its cyber resilience. (RS.IM-1.2, CRI Profile, v1.2)
  • The results of the testing program are used by the organization to support ongoing improvement of its cyber resilience. (RS.IM-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Business owners, in coordination with developers/maintainers, must oversee the development and completion of the plan of action and milestones (POA&Ms) for vulnerabilities that are identified during the annual testing. (§ 3.5.1 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
  • 3.2.6.1 (MED0140: CAT II) The Information Assurance Officer, for all vulnerabilities discovered by scans, prior to connection to the medical device network, will ensure manufacturer remediates vulnerabilities to the extent possible. § 3.2.6.2 (MED0180: CAT III) The Information Assurance Officer, in… (§ 3.2.6.1 (MED0140: CAT II), § 3.2.6.2 (MED0180: CAT III), § 3.2.6.2 (MED0190: CAT III), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • Did management take corrective action on the recommendations from the penetration test results after a major system update? (IT - Firewalls Q 31b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Did management take timely action to address weaknesses that were identified in the penetration test report? (IT - Pen Test Review Q 5, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Document findings, remediation options and recommendations, and remediation decisions after the security evaluation. (§ 4.8.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Recommend computing environment vulnerability corrections. (T0292, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Recommend computing environment vulnerability corrections. (T0292, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. (CA-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization updates existing plan of action and milestones {organizationally documented frequency} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization determines what information about the information system is discoverable by adversaries and subsequently takes {organizationally documented corrective actions}. (RA-5(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to deliver the outputs of the tools and results of the analysis to {organizationally documented personnel}. (SA-15(7)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to deliver the outputs of the tools and results of the analysis to {organizationally documented roles}. (SA-15(7)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. (CA-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates existing plan of action and milestones {organizationally documented frequency} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization determines what information about the information system is discoverable by adversaries and subsequently takes {organizationally documented corrective actions}. (RA-5(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. (CA-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates existing plan of action and milestones {organizationally documented frequency} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a plan of action and milestones for the information system to document the organization's planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system. (CA-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates existing plan of action and milestones {organizationally documented frequency} based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Senior management must analyze the independent review results, take appropriate actions, and report the results to the Board of Directors. ("Senior Bank Management" Bullet 8, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)