Back

Recommend mitigation techniques based on vulnerability scan reports.


CONTROL ID
11639
CONTROL TYPE
Technical Security
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

This Control has the following implementation support Control(s):
  • Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present., CC ID: 12188


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The security function should have updated status regarding numbers of unmitigated, critical vulnerabilities, for each department/division, plan for mitigation and should share vulnerability reports indicating critical issues with senior management to provide effective incentives for mitigation. (Critical components of information security 16) ii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls (Security Control: 1163; Revision: 6; Bullet 3, Australian Government Information Security Manual, March 2021)
  • Audits and assessments of processes, IT systems and IT components, provided that they are completely or partially in the cloud provider's area of responsibility and are relevant to the development or operation of the cloud service, are carried out by independent third parties (e. g. certified public… (Section 5.16 COM-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Does the organization take action on the vulnerability testing results? (Table Row X.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • After the vulnerability analysis is conducted on the affected systems, the team should check other systems in the organization to ensure they are not vulnerable to the same risk(s). (Action 4.3.2, SANS Computer Security Incident Handling, Version 2.3.1)
  • Define and implement a process for tracking and reporting vulnerability identification and remediation activities that includes stakeholder notification. (TVM-09, Cloud Controls Matrix, v4.0)
  • Analyzing options to respond. (RS.AN-5.2(5), CRI Profile, v1.2)
  • Analyzing options to respond. (RS.AN-5.2(5), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • When a web site is supported that has access to scoped systems and data, are the vulnerability scan results remediated? (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is hosted that has access to scoped systems and data, are the vulnerability scan results remediated? (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is maintained that has access to scoped systems and data, are the vulnerability scan results remediated? (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • The mitigation procedures must be independently validated by inspection and automated vulnerability assessment tools. (VIVM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud; (Layered Security Programs ¶ 2 Bullet 7, Supplement to Authentication in an Internet Banking Environment)
  • Is there documentation on the vulnerability scans that were conducted? (IT - Servers Q 20, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization must analyze the results of the vulnerability scans and correct the vulnerabilities in a defined time period. (SG.RA-6 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Implement security measures to resolve vulnerabilities, mitigate risks, and recommend security changes to system or system components as needed. (T0485, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. (SA-15(7)(d), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. (SA-15(7) ¶ 1(d), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Deliver the outputs of the tools and results of the analysis to [Assignment: organization-defined personnel or roles]. (SA-15(7) ¶ 1(d), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)