Back

Automate vulnerability management, as necessary.


CONTROL ID
11730
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include vulnerability management and risk assessment in the internal control framework., CC ID: 13102

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • All application systems need to be tested before implementation in a robust manner regarding controls to ensure that they satisfy business policies/rules of the bank and regulatory and legal prescriptions/requirements. Robust controls need to be built into the system and reliance on any manual contr… (Critical components of information security 11) c.3., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Automated vulnerability scanning tools need to be used against all systems on their networks on a periodic basis, say monthly or weekly or more frequently. (Critical components of information security 16) ii.a., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Vulnerability scanning tools should be tuned to compare services that are listening on each machine against a list of authorized services. The tools should be further tuned to identify changes over time on systems for both authorized and unauthorized services. (Critical components of information security 16) ii.d, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Vulnerability scanning of business applications, information systems and network devices should be performed using automated vulnerability scanning software or a commercial vulnerability scanning service. (CF.10.01.06a, The Standard of Good Practice for Information Security, 2013)
  • Define and implement a process to remediate application security vulnerabilities, automating remediation when possible. (AIS-07, Cloud Controls Matrix, v4.0)
  • Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. (CIS Control 8: Malware Defenses, CIS Controls, 7.1)
  • Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action. (CIS Control 8: Malware Defenses, CIS Controls, V7)
  • Acquire automated vulnerability management tools, if necessary. (VIVM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Using tools to assist in the analysis of vulnerabilities (e.g., design of system, operation of the system, security procedures, business line controls, and implementation of the system and controls). (App A Objective 8.3.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Perform targeting automation activities. (T0769, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform targeting automation activities. (T0769, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)