Back

Correct or mitigate vulnerabilities.


CONTROL ID
12497
CONTROL TYPE
Technical Security
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated., CC ID: 13859


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Critical patches must be evaluated in a test environment before being updated into production on enterprise systems. If such patches break critical business applications on test machines, the organization must devise other mitigating controls that block exploitation on systems where the patch is dif… (Critical components of information security 19) vi., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Methods should be established to protect information and systems if no patch is available for an identified vulnerability, for example, disabling services and adding additional access controls.Organizations should deploy automated patch management tools and software update tools for all systems for … (Critical components of information security 19) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks need to ensure suitable security measures for their web applications and take reasonable mitigating measures against various web security risks indicated earlier in the chapter. (Critical components of information security g) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Ongoing support and maintenance controls would be needed to ensure that IT assets continue to meet business objectives. Major controls in this regard include change management controls to ensure that the business objectives continue to be met following change; configuration management controls to en… (Critical components of information security 6) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A bank needs to regularly assess information security vulnerabilities and evaluate the effectiveness of the existing IT security risk management framework, making any necessary adjustments to ensure emerging vulnerabilities are addressed in a timely manner. This assessment should also be conducted a… (Critical components of information security 30) c) ¶ 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Where the system is unable to conform to the set of security standards, the relevant entity must ensure that controls are instituted to reduce any risk posed by such non-conformity. (IV. 4.3(c), MAS-201908-Notice 655 Cyber Hygiene)
  • Where no security patch is available to address a vulnerability, the relevant entity must ensure that controls are instituted to reduce any risk posed by such vulnerability to such a system. (IV. 4.2(b), MAS-201908-Notice 655 Cyber Hygiene)
  • Compliance processes should be implemented to verify that IT security standards and procedures are enforced. Follow-up processes should be implemented so that compliance deviations are addressed and remedied on a timely basis. (§ 3.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Issues identified from testing, including system defects or software bugs, should be properly tracked and addressed. Major issues that could have an adverse impact on the FI's operations or delivery of service to customers should be reported to the project steering committee and addressed prior to d… (§ 5.7.5, Technology Risk Management Guidelines, January 2021)
  • The FI should establish a process to verify that the standards are applied uniformly on systems and to identify deviations from the standards. Risks arising from deviations should be addressed in a timely manner. (§ 11.3.2, Technology Risk Management Guidelines, January 2021)
  • The FI should establish a process to conduct regular vulnerability assessment (VA) on their IT systems to identify security vulnerabilities and ensure risk arising from these gaps are addressed in a timely manner. The frequency of VA should be commensurate with the criticality of the IT system and t… (§ 13.1.1, Technology Risk Management Guidelines, January 2021)
  • Apply prompt remedial actions to detect security vulnerabilities and any non-compliance with established policies and procedures. (Annex A1: Compliance, Testing and Audits 15, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Security vulnerabilities in systems and applications are identified and mitigated in a timely manner. (P5:, Australian Government Information Security Manual, March 2021)
  • Security vulnerabilities in systems and applications are identified and mitigated in a timely manner. (P5:, Australian Government Information Security Manual, June 2023)
  • Security vulnerabilities identified in applications are resolved by software developers in a timely manner. (Control: ISM-1754; Revision: 1, Australian Government Information Security Manual, June 2023)
  • The OWASP Top 10 are mitigated in the development of web applications. (Control: ISM-1850; Revision: 0, Australian Government Information Security Manual, June 2023)
  • The OWASP API Security Top 10 are mitigated in the development of web APIs. (Control: ISM-1851; Revision: 0, Australian Government Information Security Manual, June 2023)
  • The OWASP Top 10 are mitigated in the development of web applications. (Control: ISM-1850; Revision: 0, Australian Government Information Security Manual, September 2023)
  • The OWASP API Security Top 10 are mitigated in the development of web APIs. (Control: ISM-1851; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Vulnerabilities identified in applications are resolved by software developers in a timely manner. (Control: ISM-1754; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Vulnerabilities in systems and applications are identified and mitigated in a timely manner. (P5:, Australian Government Information Security Manual, September 2023)
  • develop tactical and strategic remediation activities for the control environment (prevention, detection and response) commensurate with the threat; and (39(c)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • intentionally introduced information security vulnerabilities are authorised. In APRA's view, changes that knowingly introduce security vulnerabilities would be minimised and, where possible, compensating controls implemented. This situation normally arises when dealing with system outages. (47(g)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Timely identification and remediation of new vulnerabilities (Attachment G Control Objective Row 12, APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Do you perform regular vulnerability scans of your internal networks and workstations to identify possible problems and ensure they are addressed? (Patch management Question 51, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • Do you perform regular vulnerability scans (annual or more frequent) of your external network to identify possible problems and ensure they are addressed? (Patch management Question 52, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • A financial institution should appropriately monitor and mitigate risks deriving from their portfolio of ICT projects (programme management), considering also risks that may result from interdependencies between different projects and from dependencies of multiple projects on the same resources and/… (3.6.1 62, Final Report EBA Guidelines on ICT and security risk management)
  • Disclosed vulnerabilities should be acted on in a timely manner. (Provision 5.2-2, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Manufacturers should continually monitor for, identify and rectify security vulnerabilities within products and services they sell, produce, have produced and services they operate during the defined support period. (Provision 5.2-3, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • negotiating disclosure timelines and managing vulnerabilities that affect multiple entities. (Article 12 1 ¶ 1(c), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure; (Article 21 2(e), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Member States shall ensure that natural or legal persons are able to report, anonymously where they so request, a vulnerability to the CSIRT designated as coordinator. The CSIRT designated as coordinator shall ensure that diligent follow-up action is carried out with regard to the reported vulnerabi… (Article 12 1 ¶ 2, DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • minimise the impact of ICT risk through the use of sound, resilient and updated ICT systems, protocols and tools which are appropriate to support the performance of their activities and the provision of services and adequately protect availability, authenticity, integrity and confidentiality of data… (Art. 16.1. ¶ 2(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Eliminating discovered flaws and weaknesses and continuous improvement. (Section 5.1 OIS-01 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • Ensuring proper regular operations including appropriate safeguards for planning and monitoring the capacity, protection against malware, logging and monitoring events as well as handling vulnerabilities, malfunctions and errors. (Section 5.6 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Upon customer request, the cloud provider informs the cloud customer of open vulnerabilities in an appropriate form. The open vulnerabilities are remedied promptly without exception. (Section 5.6 RB-21 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Identified deviations are subjected to a risk analysis according to requirement OIS-07 in order to effectively address them by mitigating safeguards in a timely manner. (Section 5.12 DLL-02 Basic requirement ¶ 2, Cloud Computing Compliance Controls Catalogue (C5))
  • Audits and assessments of processes, IT systems and IT components, provided that they are completely or partially in the cloud provider's area of responsibility and are relevant to the development or operation of the cloud service, are carried out by independent third parties (e. g. certified public… (Section 5.16 COM-03 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Qualified personnel (e. g. internal revision) of the cloud provider or expert third parties commissioned by the cloud provider audit the compliance of the internal IT processes with the correspond- ing internal policies and standards as well as the legal, regulatory and statutory prescribed requirem… (Section 5.15 SPN-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The cloud provider has penetration tests performed by qualified internal personnel or external service providers at least once a year. The penetration tests are carried out according to documented test methods and include the infrastructure components defined to be critical to the secure operation o… (Section 5.6 RB-18 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Potentially affected IT systems and software are identified, assessed and any vulnerabilities are addressed. (5.2.5 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • Vulnerability management – you should identify and mitigate security issues in constituent components (5. ¶ 2 Bullet 2, Cloud Security Guidance, 1.0)
  • Incident management and system recovery testing is performed on a periodic basis to make sure the entity continues to be able to identify, evaluate and respond to critical incidents. Testing includes: 1) the development and use of test scenarios based on the likelihood and magnitude of potential thr… (S7.5 Implements incident management and recovery testing, Privacy Management Framework, Updated March 1, 2020)
  • Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel. (11.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel. (11.2.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved? (11.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Does the quarterly internal scan process address all "high risk" vulnerabilities and include rescans to verify all "high-risk" vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved? (11.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Does the quarterly internal scan process address all “high risk” vulnerabilities and include rescans to verify all “high-risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved? (11.2.1(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Review the scan reports and verify that all “high risk” vulnerabilities are addressed and the scan process includes rescans to verify that the “high risk” vulnerabilities (as defined in PCI DSS Requirement 6.1) are resolved. (11.2.1.b, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • All vulnerabilities are corrected. (6.4.1 Bullet 1 Sub-Bullet 5, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • The provider addresses and remediates suspected or confirmed security incidents and vulnerabilities according to Requirement 6.3.1. (A1.2.3 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • All other applicable vulnerabilities (those not ranked as high-risk or critical per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are managed as follows: (11.3.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Addressed based on the risk defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (11.3.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: (11.4.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In accordance with the entity's assessment of the risk posed by the security issue as defined in Requirement 6.3.1. (11.4.4 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • High-risk and critical vulnerabilities (per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are resolved. (11.3.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Penetration testing is repeated to verify the corrections. (11.4.4 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify that an inventory of bespoke and custom software and third-party software components incorporated into bespoke and custom software is maintained, and that the inventory is used to identify and address vulnerabilities. (6.3.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine system components and related software and compare the list of installed security patches/updates to the most recent security patch/update information to verify vulnerabilities are addressed in accordance with all elements specified in this requirement. (6.3.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine internal scan report results from each scan and rescan run in the last 12 months to verify that all high-risk and critical vulnerabilities (identified in PCI DSS Requirement 6.3.1) are resolved. (11.3.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine penetration testing results to verify that noted exploitable vulnerabilities and security weaknesses were corrected in accordance with all elements specified in this requirement. (11.4.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview responsible personnel and examine internal scan report results or other documentation to verify that all other applicable vulnerabilities (those not ranked as high-risk or critical per the entity's vulnerability risk rankings at Requirement 6.3.1) are addressed based on the risk defined in… (11.3.1.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel and examine external scan and rescan reports to verify that external scans were performed after significant changes and that vulnerabilities scored 4.0 or higher by the CVSS were resolved. (11.3.2.1.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All vulnerabilities are corrected. (6.4.1 Bullet 1 Sub-Bullet 5, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: (11.4.4, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In accordance with the entity's assessment of the risk posed by the security issue as defined in Requirement 6.3.1. (11.4.4 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Penetration testing is repeated to verify the corrections. (11.4.4 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • High-risk and critical vulnerabilities (per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are resolved. (11.3.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All vulnerabilities are corrected. (6.4.1 Bullet 1 Sub-Bullet 5, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Addressed based on the risk defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (11.3.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • High-risk and critical vulnerabilities (per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are resolved. (11.3.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In accordance with the entity's assessment of the risk posed by the security issue as defined in Requirement 6.3.1. (11.4.4 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: (11.4.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Penetration testing is repeated to verify the corrections. (11.4.4 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows: (6.4.1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • All vulnerabilities are corrected. (6.4.1 Bullet 1 Sub-Bullet 5, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • High-risk and critical vulnerabilities (per the entity's vulnerability risk rankings defined at Requirement 6.3.1) are resolved. (11.3.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Addressed based on the risk defined in the entity's targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. (11.3.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In accordance with the entity's assessment of the risk posed by the security issue as defined in Requirement 6.3.1. (11.4.4 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: (11.4 4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The provider addresses and remediates suspected or confirmed security incidents and vulnerabilities according to Requirement 6.3.1. (A1 2.3 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Penetration testing is repeated to verify the corrections. (11.4.4 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Define and implement a process to remediate application security vulnerabilities, automating remediation when possible. (AIS-07, Cloud Controls Matrix, v4.0)
  • Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk. (TVM-03, Cloud Controls Matrix, v4.0)
  • Reduce Attack Surface and Vulnerabilities (2, Swift Customer Security Controls Framework (CSCF), v2019)
  • Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. (2.7 Control Objective, Swift Customer Security Controls Framework (CSCF), v2019)
  • Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. (CIS Control 3: Continuous Vulnerability Management, CIS Controls, 7.1)
  • Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers. (CIS Control 3: Continuous Vulnerability Management, CIS Controls, V7)
  • Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process. (CIS Control 7: Safeguard 7.7 Remediate Detected Vulnerabilities, CIS Controls, V8)
  • Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerab… (CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1, CIS Controls, V8)
  • Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise contro… (CIS Control 18: Safeguard 18.1 Establish and Maintain a Penetration Testing Program, CIS Controls, V8)
  • Information about technical vulnerabilities of information systems in use should be obtained, the organization's exposure to such vulnerabilities should be evaluated and appropriate measures should be taken. (§ 8.8 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. (A1.2 ¶ 2 Bullet 6 Communicates and Reviews Detected Environmental Threat Events, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Identified vulnerabilities are remediated through the development and execution of remediation activities. (CC7.4 ¶ 3 Bullet 8 Remediates Identified Vulnerabilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity conducts infrastructure and software vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after significant changes are made to the environment. Action is taken to remediate identified deficiencies in a timely manner to support th… (CC7.1 ¶ 2 Bullet 5 Conducts Vulnerability Scans, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization has established processes to implement vulnerability mitigation plans, as well as validate their completion and effectiveness. (RS.AN-5.3, CRI Profile, v1.2)
  • Vulnerabilities identified as a result of a cybersecurity incident are mitigated or documented by the organization as accepted risks and monitored. (RS.MI-3.2, CRI Profile, v1.2)
  • The organization establishes a process to prioritize and remedy issues identified through vulnerability scanning. (PR.IP-12.2, CRI Profile, v1.2)
  • Vulnerabilities identified as a result of a cybersecurity incident are mitigated or documented by the organization as accepted risks and monitored. (RS.MI-3.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has established processes to implement vulnerability mitigation plans, as well as validate their completion and effectiveness. (RS.AN-5.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Correct flaws identified during security testing/evaluation. (SA-11e., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Correct flaws identified during security testing/evaluation. (SA-11e., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Correct flaws identified during security testing/evaluation. (SA-11e., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. (RA-5(4) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050 Exploit Protection, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016 Vulnerability Scanning, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
  • The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis. (CC7.1 Conducts Vulnerability Scans, Trust Services Criteria)
  • Identified vulnerabilities are remediated through the development and execution of remediation activities. (CC7.4 Remediates Identified Vulnerabilities, Trust Services Criteria)
  • The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis. (CC7.1 ¶ 2 Bullet 5 Conducts Vulnerability Scans, Trust Services Criteria, (includes March 2020 updates))
  • Identified vulnerabilities are remediated through the development and execution of remediation activities. (CC7.4 ¶ 2 Bullet 8 Remediates Identified Vulnerabilities, Trust Services Criteria, (includes March 2020 updates))
  • Detected environmental threat events are communicated to and reviewed by the individuals responsible for the management of the system and actions are taken, if necessary. (A1.2 ¶ 2 Bullet 6 Communicates and Reviews Detected Environmental Threat Events, Trust Services Criteria, (includes March 2020 updates))
  • Software Vulnerabilities Mitigation: Use one or a combination of the following methods to achieve the objective of mitigating the risk of vulnerabilities posed by unpatched software on the Transient Cyber Asset (per Transient Cyber Asset capability): - Review of installed security patch(es); - Revie… (Section 2. 2.1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Other method(s) to mitigate software vulnerabilities. (Attachment 1 Section 1. 1.3. Bullet 4, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Other method(s) to mitigate software vulnerabilities. (Attachment 1 Section 2. 2.1 Bullet 4, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • Identify, report, and correct information and information system flaws in a timely manner. (§ 52.204-21 (b)(1)(xii), 48 CFR Part 52.204-21, Basic Safeguarding of Covered Contractor Information Systems)
  • Remediate vulnerabilities in accordance with risk assessments. (RA.L2-3.11.3 Vulnerability Remediation, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • An ICAP is required to mitigate vulnerabilities and risks associated with implementing a commercial CSP's CSO infrastructure on-premises (i.e., located inside the B/C/P/S physical or virtual "fence-line.") when, as expected, that infrastructure is managed by the CSP from their off-premises corporate… (Section 5.10.1.2 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Assist with developing audit compliance guidelines as well as identifying and reconciling security-related issues. (§ 3.2.10 ¶ 1 5., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Management implements a vulnerability management program that identifies systems and software vulnerabilities, prioritizes the vulnerabilities and the affected systems in order of risk, and performs timely remediation according to the risk of the vulnerability. The vulnerability management program i… (App A Objective 15:3a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Processes to monitor industry third parties (e.g., US-CERT, NIST, and FS-ISAC) that report vulnerability exposures and address any relevant exposures within the entity's systems and software. (App A Objective 15:3a Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Remediates legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180… (RA-5d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Correct flaws identified during security testing/evaluation. (SA-11e. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Remediates legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180… (RA-5d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Correct flaws identified during security testing/evaluation. (SA-11e. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Remediates legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180… (RA-5d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Correct flaws identified during testing and evaluation. (SA-11e., FedRAMP Security Controls High Baseline, Version 5)
  • Remediate legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180)… (RA-5d., FedRAMP Security Controls High Baseline, Version 5)
  • Determine information about the system that is discoverable and take [FedRAMP Assignment: notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions]. (RA-5(4) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Remediate legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180)… (RA-5d., FedRAMP Security Controls Low Baseline, Version 5)
  • Correct flaws identified during testing and evaluation. (SA-11e., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Remediate legitimate vulnerabilities [FedRAMP Assignment: high-risk vulnerabilities mitigated within thirty (30) days from date of discovery; moderate-risk vulnerabilities mitigated within ninety (90) days from date of discovery; low risk vulnerabilities mitigated within one hundred and eighty (180)… (RA-5d., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. (RA-5(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Correct flaws identified during testing and evaluation. (SA-11e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Correct flaws identified during testing and evaluation. (SA-11e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Correct flaws identified during testing and evaluation. (SA-11e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Reduce vulnerabilities at the onset of new IT projects and/or related acquisitions. (Level 2 Mission and Business Process Activities Bullet 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Correct flaws identified during testing and evaluation. (SA-11e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Correct flaws identified during testing and evaluation. (SA-11e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Correct flaws identified during testing and evaluation. (SA-11e., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Organizations should strive to decrease the number of vulnerabilities introduced into their environments. This shrinks the attack surface and can lower the amount of patching that organizations need to do. Possible methods for decreasing the number of vulnerabilities include: (3.1 ¶ 1, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Organizations should plan to implement multiple types of mitigations to protect vulnerable unpatchable assets. In addition to using long-term risk mitigation methods for unpatchable assets, organizations should also implement mitigations as needed to prevent exploitation of specific vulnerabilities … (3.5.4 ¶ 2, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. (RA-5(4) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Correct flaws identified during security testing/evaluation. (SA-11e. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Correct flaws identified during security testing/evaluation. (SA-11e. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Supervise or manage protective or corrective measures when a cybersecurity incident or vulnerability is discovered. (T0229, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Mitigate/correct security deficiencies identified during security/certification testing and/or recommend risk acceptance for the appropriate senior leader or authorized representative. (T0499, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Work with stakeholders to resolve computer security incidents and vulnerability compliance. (T0545, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The container runtime must be carefully monitored for vulnerabilities, and when problems are detected, they must be remediated quickly. A vulnerable runtime exposes all containers it supports, as well as the host itself, to potentially significant risk. Organizations should use tools to look for Com… (4.4.1 ¶ 1, NIST SP 800-190, Application Container Security Guide)
  • Assess, Prioritize, and Remediate Vulnerabilities (RV.2): Help ensure that vulnerabilities are remediated in accordance with risk to reduce the window of opportunity for attackers. (RV.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Plan and implement risk responses for vulnerabilities. (RV.2.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Review the software for similar vulnerabilities to eradicate a class of vulnerabilities, and proactively fix them rather than waiting for external reports. (RV.3.3, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Supervise or manage protective or corrective measures when a cybersecurity incident or vulnerability is discovered. (T0229, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Mitigate/correct security deficiencies identified during security/certification testing and/or recommend risk acceptance for the appropriate senior leader or authorized representative. (T0499, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Work with stakeholders to resolve computer security incidents and vulnerability compliance. (T0545, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Implement security measures to resolve vulnerabilities, mitigate risks, and recommend security changes to system or system components as needed. (T0485, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Correct flaws identified during security testing/evaluation. (SA-11e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. (RA-5(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Correct flaws identified during security testing/evaluation. (SA-11e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Correct flaws identified during security testing/evaluation. (SA-11e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization determines what information about the information system is discoverable by adversaries and subsequently takes [Assignment: organization-defined corrective actions]. (RA-5(4) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and (RA-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. (RA-5(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Correct flaws identified during testing and evaluation. (SA-11e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; (RA-5d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Determine information about the system that is discoverable and take [Assignment: organization-defined corrective actions]. (RA-5(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Correct flaws identified during testing and evaluation. (SA-11e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Correct flaws identified during security testing/evaluation. (SA-11e., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The Internet is critical to our future but retains the fundamental structure of its past. Many of the technical foundations of the digital ecosystem are inherently vulnerable. Every time we build something new on top of this foundation, we add new vulnerabilities and increase our collective risk exp… (STRATEGIC OBJECTIVE 4.1 ¶ 1, National Cybersecurity Strategy)
  • timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity. (§ 500.5 Vulnerability Management (c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Remediates legitimate vulnerabilities [TX-RAMP Assignment: high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery] in accordance with an organizational assessment of risk; and (RA-5d., TX-RAMP Security Controls Baseline Level 1)
  • Correct flaws identified during security testing/evaluation. (SA-11e., TX-RAMP Security Controls Baseline Level 2)
  • Remediates legitimate vulnerabilities [TX-RAMP Assignment: high-risk vulnerabilities mitigated within thirty days from date of discovery; moderate-risk vulnerabilities mitigated within ninety days from date of discovery] in accordance with an organizational assessment of risk; and (RA-5d., TX-RAMP Security Controls Baseline Level 2)