Establish, implement, and maintain a vulnerability assessment program.
CONTROL ID 11636
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a vulnerability management program., CC ID: 15721
This Control has the following implementation support Control(s):
Perform vulnerability scans, as necessary., CC ID: 11637
Perform vulnerability assessments, as necessary., CC ID: 11828
Test the system for unvalidated input., CC ID: 01318
Test the system for proper error handling., CC ID: 01324
Test the system for insecure data storage., CC ID: 01325
Test the system for access control enforcement in all Uniform Resource Locators., CC ID: 06297
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Standard § II.3(2): The risks that occur inside and outside the organization should be assessed, along with all events that could have a significant impact on financial reporting.
Practice Standard § II.2(1)[1]: Entities that are included in consolidated financial statements should be subject to d… (Standard § II.3(2), Practice Standard § II.2(1)[1], Practice Standard § II.3(2)[Assessment items for company-level controls], Practice Standard § II.3(2)[2], Practice Standard § II.3(2)[3], Practice Standard § II.3(3)[5].D.b, Exhibit 1, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
The FI should establish a process to conduct regular vulnerability assessment (VA) on their IT systems to identify security vulnerabilities and ensure risk arising from these gaps are addressed in a timely manner. The frequency of VA should be commensurate with the criticality of the IT system and t… (§ 13.1.1, Technology Risk Management Guidelines, January 2021)
conducting vulnerability assessments or penetration tests for systems at least annually (Security Control: 1163; Revision: 6; Bullet 2, Australian Government Information Security Manual, March 2021)
The organization should develop, implement, and maintain procedures to detect potential security incidents through the use of vulnerability analyses. (§ 2.8.17, § 3.7.29, Australian Government ICT Security Manual (ACSI 33))
The CSIRTs may carry out proactive non-intrusive scanning of publicly accessible network and information systems of essential and important entities. Such scanning shall be carried out to detect vulnerable or insecurely configured network and information systems and inform the entities concerned. Su… (Article 11 3 ¶ 2, DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
If the estimated resources for costs and personnel are available, usually a decision must be made on how many resources should be used for implementing the security safeguards. Here, it is reasonable to present the results of the security check to the management level. To make those responsible awar… (§ 9.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The entity has established policies and procedures for identifying, classifying and prioritizing the criticality of its collected PI. The entity also has procedures for evaluating potential vulnerabilities and the risk of unauthorized privacy information access, removal and destruction. The entity h… (M1.3, Privacy Management Framework, Updated March 1, 2020)
Who conducts the vulnerability testing? (Table Row VII.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organisation's change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requir… (AI3.3 Infrastructure Maintenance, CobiT, Version 4.1)
Interview responsible personnel and examine the software development policies and procedures to verify coding techniques address the "high risk" vulnerabilities that could affect the application. (Testing Procedures § 6.5.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
Verify that processes are in place to ensure that applications are not vulnerable to, at a minimum, the following: (§ 6.5.c Testing procedurs, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
The software development process must address common coding vulnerabilities, to include all of the "high risk" vulnerabilities that were identified in the vulnerability identification process. (PCI DSS Requirements § 6.5.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Do external quarterly scan and rescan results satisfy the ASV Program Guide requirements for a passing scan (for example, no vulnerabilities rated 4.0 or higher by the CVSS, and no automatic failures)? (11.2.2 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
When new security vulnerabilities are discovered, all software provided with the payment application should be tested to ensure the vulnerability does not exist on the system. (§ 7.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
Do coding techniques address all "high-risk" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? (PCI DSS Question 6.5.6, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Do coding techniques address all "high-risk" vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1)? (PCI DSS Question 6.5.6, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Continuous monitoring checks data as it is being processed against predetermined criteria and reports any anomalies that it detects. The benefit of this is that discrepancies are identified and acted upon immediately. One problem with continuous monitoring is the huge volume of data and potential er… (§ 10.2.1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
Continuous control assessment provides insight into the effectiveness of internal control systems, which provides business process managers, financial executives, and risk and compliance officers with timely and independent assurance over the internal controls. Errors and anomalies can be rapidly hi… (§ 5 (Identification of Control Deficiencies) ¶ 2, § 5 (Identification of Control Deficiencies) ¶ 3, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
Vulnerability assessment reports should be safeguarded, because they contain sensitive information, and the vulnerability assessment team members should be reminded to protect the information contained in the reports. (Pg 2-II-7, Protection of Assets Manual, ASIS International)
A vulnerability analysis should be performed on the system after the cause of the incident has been eradicated. The organization should use both host-based and network-based assessment tools. (Action 4.3.1, SANS Computer Security Incident Handling, Version 2.3.1)
The organization should perform continuous vulnerability assessment and remediation. (Critical Control 4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
The organization should use a government-approved scanning configuration files for its vulnerability scans. (Critical Control 4.6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
Define and implement a process for tracking and reporting vulnerability identification and remediation activities that includes stakeholder notification. (TVM-09, Cloud Controls Matrix, v4.0)
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to identify, report and prioritize the remediation of vulnerabilities, in order to protect systems against vulnerability exploitation. Review and update the policies and procedures at least annually. (TVM-01, Cloud Controls Matrix, v4.0)
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. (CIS Control 7: Safeguard 7.1 Establish and Maintain a Vulnerability Management Process, CIS Controls, V8)
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information. (CIS Control 7: Continuous Vulnerability Management, CIS Controls, V8)
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerab… (CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1, CIS Controls, V8)
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity rati… (CIS Control 16: Safeguard 16.6 Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities, CIS Controls, V8)
A vulnerability analysis should be performed by the developer and an independent evaluator. The vulnerability analysis document should include the following: a description of the procedures used to determine the ways a user could violate the security policy; the status of identified vulnerabilities;… (§ 19.4, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
A vulnerability analysis should be performed by the developer and an independent evaluator. The vulnerability analysis document should include the following: a description of the procedures used to determine the ways a user could violate the security policy; the status of identified vulnerabilities;… (§ 19.4, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
The vulnerability analysis documentation should be examined to ensure all obvious vulnerabilities have been identified, described, and justified as to why they are not exploitable in the environment, and to ensure all obvious vulnerabilities are resistant to obvious penetration attacks. The vulnerab… (§ 11.9.2.4, § 12.10.3.4, § 13.10.3.4, § 13.10.3.6, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk. (TC-IM-230a.2. 1, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk. (TC-SI-230a.2. 1, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
The entity shall describe its approach to identifying vulnerabilities in its information systems that pose a data security risk. (TC-TL-230a.2. 1, Telecommunication Services Sustainability Accounting Standard, Version 2018-10)
The organization has established processes to implement vulnerability mitigation plans, as well as validate their completion and effectiveness. (RS.AN-5.3, CRI Profile, v1.2)
Formatting checklists and test procedures; and (RA-5b.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Measuring vulnerability impact; (RA-5b.3., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Formatting checklists and test procedures; and (RA-5b.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
The audit procedures used by the auditor should be based on the risk of material misstatement. During the testing, the auditor should obtain evidence on the accuracy and completeness of the information produced by the system being used to perform the tests. The number of tests to be performed should… (§ 318.12, § 318.14, § 318.19, § 318.28, § 318.57, § 318.68, § 318.71, SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained)
Configuration change management and vulnerability assessments (CIP- 010); (B. R1. 1.1 1.1.7., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
Configuration change management and vulnerability assessments (CIP- 010); (B. R1. 1.1 1.1.7., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
System accreditation is a certification based on how well a system meets the required security requirements and should include the system's perimeter and boundaries. The perimeter is what surrounds the equipment, and the boundary could include remote users or global network users. The accreditation … (§ 3-1.d thru § 3-1.f, Army Regulation 380-19: Information Systems Security, February 27, 1998)
A comprehensive vulnerability management process must exist that includes identifying and mitigating software vulnerabilities and hardware vulnerabilities. (VIVM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Interview those responsible for following the vulnerability management policy to ensure it is being used to conduct vulnerability scans. (VIVM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Ensure that the vulnerability management policy identifies software and hardware vulnerabilities. (VIVM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
Effective vulnerability and patch management processes. (VI.B Action Summary ¶ 2 Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Containers, including the design for storing data outside of the container and implementation of vulnerability management processes, segmentation, and the ability to monitor containers. (App A Objective 12:5c Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
With internally developed software, evaluate whether management is responsible for maintaining the software, and entity personnel have the resources and expertise to stay abreast of vulnerabilities and develop software updates and patches. (App A Objective 13:5a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Management implements a vulnerability management program that identifies systems and software vulnerabilities, prioritizes the vulnerabilities and the affected systems in order of risk, and performs timely remediation according to the risk of the vulnerability. The vulnerability management program i… (App A Objective 15:3a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine whether management has continuous, established routines to identify and assess vulnerabilities. Determine whether management has processes to receive vulnerability information disclosed by external individuals or groups, such as security or vulnerability researchers. (App A Objective 4.4, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
A process to adequately identify and monitor relevant external threats and vulnerabilities. (App A Objective 13:7 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Formatting checklists and test procedures; and (RA-5b.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Do the audit policies and procedures include a security assessment? (IT - Audit Program Q 2e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Formatting checklists and test procedures; and (RA-5b.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Measuring vulnerability impact; (RA-5b.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Measuring vulnerability impact; (RA-5b.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Formatting checklists and test procedures; and (RA-5b.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Measuring vulnerability impact; (RA-5b.3., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Formatting checklists and test procedures; and (RA-5b.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Finally, the enterprise will complete the procurement step by releasing a statement of work (SOW), performance work statement (PWS), or statement of objective (SOO) for the release of a request for proposal (RFP) or request for quotes (RFQ). Any bidders responding to the RFP or RFQ should be evaluat… (3.1.2. ¶ 7, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Formatting checklists and test procedures; and (RA-5b.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Measuring vulnerability impact; (RA-5b.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Formatting checklists and test procedures; and (RA-5b.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Measuring vulnerability impact; (RA-5b.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Define the breadth and depth of vulnerability scanning coverage. (RA-5(3) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Formatting checklists and test procedures; and (RA-5b.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Measuring vulnerability impact; (RA-5b.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Define the breadth and depth of vulnerability scanning coverage. (RA-5(3) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Formatting checklists and test procedures; and (RA-5b.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Measuring vulnerability impact; (RA-5b.3., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Certification, Accreditation, and Security Assessments (CA): Organizations must:
(i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application;
(ii) develop and implement plans of action designed to correct defic… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
A vulnerability management plan is developed and implemented (PR.IP-12, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
A vulnerability management plan is developed and implemented (PR.IP-12, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
Organizational records and documents should be examined to ensure security assessments are performed annually; security controls are checked for proper implementation on system startup and restarts; the system is performing its intended operation and producing the desired outcome; the System Adminis… (CA-2, SI-6, SI-6(1), SI-6(2), Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Formatting checklists and test procedures; and (RA-5b.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Formatting checklists and test procedures; and (RA-5b.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Formatting checklists and test procedures; and (RA-5b.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Measuring vulnerability impact; (RA-5b.3. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Measuring vulnerability impact; (RA-5b.3. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Measuring vulnerability impact; (RA-5b.3. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The organization should use automated mechanisms to compare results of vulnerability scans over time to determine system vulnerability trends. (App F § RA-5(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Measuring vulnerability impact; (RA-5b.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Formatting checklists and test procedures; and (RA-5b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Formatting checklists and test procedures; and (RA-5b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Measuring vulnerability impact; (RA-5b.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Formatting checklists and test procedures; and (RA-5b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Measuring vulnerability impact; (RA-5b.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Measuring vulnerability impact; (RA-5b.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Formatting checklists and test procedures; and (RA-5b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Define the breadth and depth of vulnerability scanning coverage. (RA-5(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Formatting checklists and test procedures; and (RA-5b.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Measuring vulnerability impact; (RA-5b.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Define the breadth and depth of vulnerability scanning coverage. (RA-5(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Formatting checklists and test procedures; and (RA-5b.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Enumerating platforms, software flaws, and improper configurations; (RA-5b.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Measuring vulnerability impact; (RA-5b.3., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
If management uses a risk-based approach to testing, key controls do not have to be tested annually. A risk-based approach can be used if controls are stable and there are no known deficiencies. With this approach, the controls should be tested every three years. (Pg 35, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
The operating effectiveness of controls should be tested to determine if the controls are operating correctly and the professional background of each individual who performs a control should be reviewed to determine if he/she has the necessary authority and qualifications. The tests should include i… (¶ 92, ¶ 93, PCAOB Auditing Standard No. 2)
The auditor should assess how involved IT is in the financial reporting process; the inputs, outputs, and processes used to produce the financial reports; which members of management participate in the process; which locations are involved; and the level of oversight of the process provided by the B… (¶ 27, PCAOB Auditing Standard No. 5)
Implement appropriate findings from the SVA in a timely fashion but no later than 24 months after SVA completion; and (4.3 ¶ 2 Bullet 4, Pipeline Security Guidelines)
Conduct an SVA or the equivalent as outlined in Section 4.3 of this document for facilities determined to be critical; and (4.2 ¶ 1 Bullet 3, Pipeline Security Guidelines)
Conduct cyber vulnerability assessments as described in your risk assessment process (Table 2: Security Continuous Monitoring Baseline Security Measures Cell 2, Pipeline Security Guidelines)
Each airport and air carrier must periodically conduct vulnerability assessments of the security systems. The Transportation Security Administration will periodically audit these vulnerability assessments. Periodic and unannounced security system inspections will be conducted by the Under Secretary … (§ 44916, TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity's Information Systems based on the Risk Assessment. (§ 500.05 Penetration Testing and Vulnerability Assessments (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity's Risk Assessment, designed to assess the effectiveness of the Covered Entity's cybersecurity program. The monitoring and testing shall include continuous monitorin… (§ 500.05 Penetration Testing and Vulnerability Assessments, New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
Formatting checklists and test procedures; and (RA-5b.2., TX-RAMP Security Controls Baseline Level 1)
