Back

Monitor for new vulnerabilities.


CONTROL ID
06843
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk monitoring program., CC ID: 00658

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • It is advisable that the latest information about vulnerabilities in the OS and/or web applications and smart-device applications be kept track of. (P20.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • While implementing ISO 27001 and aspects from other relevant standards, banks should be wary of a routine checklist kind of mindset but ensure that the security management is dynamic in nature through proactively scanning the environment for new threats and suitably attuned to the changing milieu. (Critical components of information security 27) (e), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The procedures for maintaining awareness of current software vulnerabilities in order to manage the security and functionality of System Software should be included in the Standard Operating Procedures for the information technology security officer. (Control: 0790 Table Row "System maintenance", Australian Government Information Security Manual: Controls)
  • The organization should monitor for new or updated vulnerabilities in the Operating System, software, devices, and other elements which may adversely impact security as part of the vulnerability management strategy. (Control: 1163 Bullet 4, Australian Government Information Security Manual: Controls)
  • The organization should monitor sources for information about security patches and new vulnerabilities. (Control: 0297, Australian Government Information Security Manual: Controls)
  • Manufacturers should continually monitor for, identify and rectify security vulnerabilities within products and services they sell, produce, have produced and services they operate during the defined support period. (Provision 5.2-3, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • monitoring and analysing cyber threats, vulnerabilities and incidents at national level and, upon request, providing assistance to essential and important entities concerned regarding real-time or near real-time monitoring of their network and information systems; (Article 11 3 ¶ 1(a), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • How are APIs and web services protected from vulnerabilities? (Appendix D, Maintain a Vulnerability Management Program Bullet 4, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • How are all variations of VM images (including inactive VMs) scanned for vulnerabilities? (Appendix D, Regularly Monitor and Test Networks Bullet 8, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Examine the policies and procedures to verify there are defined processes for identifying new security vulnerabilities. (Testing Procedures § 6.1.a Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview responsible personnel and observe processes to verify new security vulnerabilities are identified. (Testing Procedures § 6.1.b Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • A process, that uses reputable outside sources for security vulnerability information, must be established to identify security vulnerabilities and assign the new vulnerabilities a risk rating. (PCI DSS Requirements § 6.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Implement a methodology for penetration testing that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network … (11.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability… (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability… (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • For public-facing web applications, are new threats and vulnerabilities addressed on an ongoing basis, and are these applications protected against known attacks by applying either of the following methods? - Reviewing public-facing web applications via manual or automated application vulnerability … (6.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Does the penetration-testing methodology include the following? - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical systems - Includes testing from both inside and outside the network - Includes te… (11.3, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine penetration-testing methodology and interview responsible personnel to verify a methodology is implemented that includes the following: - Is based on industry-accepted penetration testing approaches (for example, NIST SP800-115) - Includes coverage for the entire CDE perimeter and critical s… (11.3, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Website content (e.g., web pages, articles, images) should be protected against corruption or unauthorized disclosure by reviewing content to ensure that vulnerabilities have not been introduced by scripts or 'hidden' form fields. (CF.04.02.03d-3, The Standard of Good Practice for Information Security)
  • Website content (e.g., web pages, articles, images) should be protected against corruption or unauthorized disclosure by reviewing content to ensure that vulnerabilities have not been introduced by scripts or 'hidden' form fields. (CF.04.02.03d-3, The Standard of Good Practice for Information Security, 2013)
  • The system and software vulnerability management process should be supported by performing vulnerability scans of business applications, information systems and network devices to help identify system and software vulnerabilities that are present in business applications, information systems and net… (CF.10.01.05a, The Standard of Good Practice for Information Security, 2013)
  • The system and software vulnerability management process should be supported by performing vulnerability scans of business applications, information systems and network devices to help determine the extent to which business applications, information systems and network devices are exposed to threats… (CF.10.01.05b, The Standard of Good Practice for Information Security, 2013)
  • The system and software vulnerability management process should be supported by performing vulnerability scans of business applications, information systems, and network devices to help prioritize the remediation of vulnerabilities (e.g., using the vendor's patch release schedule). (CF.10.01.05c, The Standard of Good Practice for Information Security, 2013)
  • The system and software vulnerability management process should be supported by performing vulnerability scans of business applications, information systems, and network devices to help provide a high-level view of vulnerabilities across the organization's technical infrastructure (e.g., to make com… (CF.10.01.05d, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed (physical and virtual) applications and infrastructure network and system components, applying a risk-b… (TVM-02, Cloud Controls Matrix, v3.0)
  • To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. (CC7.1 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. (CC7.1, Trust Services Criteria)
  • To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. (CC7.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Vulnerabilities of system components to [insert the principle(s)addressed by the engagement: security, availability, processing integrity, confidentiality, or privacy, or any combination thereof] breaches and incidents due to malicious acts, natural disasters, or errors are identified, monitored, an… (CC6.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls. (SA.4.171, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Establish and maintain a cyber threat hunting capability to search for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls. (SA.4.171, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • The agency shall identify applications, services, and information systems containing software or components affected by recently announced software flaws and potential vulnerabilities resulting from those flaws. (§ 5.10.4.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The agency shall identify applications, services, and information systems containing software or components affected by recently announced software flaws and potential vulnerabilities resulting from those flaws. (§ 5.10.4.1 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Threat information is used to monitor threats and vulnerabilities. (Domain 2: Assessment Factor: Threat Intelligence, THREAT INTELLIGENCE AND INFORMATION Baseline 1 ¶ 2, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Monitoring for vulnerabilities of the open source software employed by the entity. (App A Objective 13:6g Bullet 2 Sub-Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management establishes procedures to stay abreast of system vulnerabilities and software vendor patches, tests patches in a segregated environment, and installs them when appropriate. Additionally, determine the effectiveness of the following: (App A Objective 15:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the institution has risk monitoring and reporting processes that address changing threat conditions in both the institution and the greater financial industry. Determine whether these processes address information security events faced by the institution, the effectiveness of manag… (App A Objective 7.1, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • A process to adequately identify and monitor relevant external threats and vulnerabilities. (App A Objective 13:7 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Monitoring containers for vulnerabilities and updating or replacing containers when appropriate. (Risk Management Audit and Controls Assessment Bullet 3 Sub-bullet 2 Sub-sub-bullet 5, FFIEC Security in a Cloud Computing Environment)
  • Monitor and scan for vulnerabilities in the system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., FedRAMP Security Controls High Baseline, Version 5)
  • Monitor and scan for vulnerabilities in the system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., FedRAMP Security Controls Low Baseline, Version 5)
  • Monitor and scan for vulnerabilities in the system and hosted applications [FedRAMP Assignment: monthly operating system/infrastructure; monthly web applications (including APIs) and databases] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Threat and vulnerability information is received from information sharing forums and sources. (ID.RA-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Systems can also be analyzed to identify sources of fragility or brittleness. While identification of single points of failure is a result of the analysis methods mentioned above, network analysis or graph analysis (i.e., analysis of which system elements are connected, how and how tightly the syste… (3.2.3.1 ¶ 3, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • The container runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations should use tools to look for Com… (4.4.1 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • The organization must monitor and evaluate the smart grid Information System on a defined frequency to identify any vulnerabilities that might affect the system security. (SG.RA-6 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; (RA-5a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Conduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 1, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
  • are promptly informed of new security vulnerabilities by having a monitoring process in place; and (§ 500.5 Vulnerability Management (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)