Back

Include vulnerability management and risk assessment in the internal control framework.


CONTROL ID
13102
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

This Control has the following implementation support Control(s):
  • Automate vulnerability management, as necessary., CC ID: 11730


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Security vulnerabilities in operating systems and firmware assessed as extreme risk are patched, updated or mitigated within 48 hours of the security vulnerabilities being identified by vendors, independent third parties, system managers or users. (Security Control: 1494; Revision: 0, Australian Government Information Security Manual, March 2021)
  • A vulnerability analysis program should be developed for the organization. (§ 3.7.29, Australian Government ICT Security Manual (ACSI 33))
  • Competent authorities should assess whether the institution's general governance and internal control framework duly cover the ICT systems and related risks and if the management body adequately addresses and manages these aspects, as ICT is integral to the proper functioning of an institution. (Title 2 2.1 20., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • ICT risk in the institution's Risk management framework –whether the institution's risk management and internal control framework adequately safeguards the institution's ICT systems. (Title 2 2.1 22.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • they must be adapted to the corresponding framework conditions and the terminology of an organisation, (§ 8.3.6 ¶ 3 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to ensure the prompt identification and addressing of vulnerabilities over all levels of the cloud service, for which they are responsible. The safeguards incl… (Section 5.6 RB-17 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Regular identification and analysis of vulnerabilities (Section 5.6 RB-17 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Policies and instructions with technical and organisational safeguards for the handling of critical vulnerabilities are documented, communicated and provided according to SA-01. The safeguards are coordinated with the activities of the change management and the incident management. (Section 5.6 RB-19 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Requirements for incident and vulnerability management (especially notifications and collaborations when eliminating malfunctions) (Section 5.12 DLL-01 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • The risk management process should be documented. (¶ 620(d), ¶ 666(d), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment. (§ 12.1.2, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment. (§ 12.1.2.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Update configuration standards to address new vulnerability issues and assign a risk ranking to newly discovered vulnerabilities. (§ 6.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Review risk assessment documentation to verify that the risk assessment process is performed at least annually. (§ 12.1.2.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities, including: (A1.2.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities, including: (A1.2.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The following are 10 questions a Chief Audit Executive should ask to determine the level of maturity of the organization's vulnerability management practice: "1) What percent of total systems are monitored or scanned? 2) How many unique vulnerabilities exist in your enterprise? 3) What percent of sy… (§ 2.2, § 5.2 Table 3, IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • The information security policy should require that important information be subject to an information risk assessment on a regular basis or before a major change. (CF.01.01.03c-1, The Standard of Good Practice for Information Security)
  • The information security policy should require that important systems be subject to an information risk assessment on a regular basis or before a major change. (CF.01.01.03c-2, The Standard of Good Practice for Information Security)
  • The information security policy should require that important information be subject to an information risk assessment on a regular basis or before a major change. (CF.01.01.03c-1, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should require that important systems be subject to an information risk assessment on a regular basis or before a major change. (CF.01.01.03c-2, The Standard of Good Practice for Information Security, 2013)
  • Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerab… (CIS Control 16: Safeguard 16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities ¶ 1, CIS Controls, V8)
  • ¶ 7.2 Corporate IT Security Policy. An organization should produce a corporate IT security policy based on the agreed corporate IT security objectives and strategy. It is necessary to establish and maintain a corporate IT security policy, consistent with the corporate business, security, and IT pol… (¶ 7.2, ¶ 9.4.1, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • The information security policy should contain the structure of risk assessment and risk management. (§ 5.1.1, ISO 27002 Code of practice for information security management, 2005)
  • set expectations for internal controls, compliance, risk management and risk taking; (§ 6.3.3.1.2 ¶ 1 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization establishes and maintains capabilities for ongoing vulnerability management, including systematic scans or reviews reasonably designed to identify publicly known cyber vulnerabilities in the organization based on the risk assessment. (PR.IP-12.1, CRI Profile, v1.2)
  • A vulnerability management plan is developed and implemented. (PR.IP-12, CRI Profile, v1.2)
  • The organization establishes and maintains capabilities for ongoing vulnerability management, including systematic scans or reviews reasonably designed to identify publicly known cyber vulnerabilities in the organization based on the risk assessment. (PR.IP-12.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The security program should address risk assessment and risk treatment as it relates to personal information security. (Table Ref 8.2.1.a, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Does the information security policy contain a risk assessment? (§ B.1.1, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Does the information security policy cover risk management? (§ B.1.2, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Does the information security policy cover vulnerability management? (§ B.1.32, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • The organization must make the following features available in the security management process implementation: risk management, risk analysis, security policy, and sanction policy and procedures. (CSR 1.8.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Each agency must develop, document, and implement an information security program, which must include any information and information systems provided or managed by another agency or contractor. The program must include periodic assessment of the risk and magnitude of harm that could result from una… (§ 3544(b)(1), Federal Information Security Management Act of 2002, Deprecated)
  • periodic assessments of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency, which may include using automated tools co… (§ 3554(b)(1), Federal Information Security Modernization Act of 2014)
  • A risk assessment must be performed by a business entity to identify internal and external vulnerabilities that could lead to unauthorized disclosure, alteration, or use of or access to sensitive personally identifiable information or systems that contain sensitive personally identifiable informatio… (§ 302(a)(3), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • A comprehensive vulnerability management process that includes the systematic identification and mitigation of software and hardware vulnerabilities is in place. (VIVM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Determine whether management effectively identifies threats and vulnerabilities continuously. (App A Objective 4.1, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Vulnerability identification (e.g., operation or supervision of vulnerability scans, self-assessments, penetration tests, and analysis of audit results). (App A Objective 8.1.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Risk assessment process, including threat identification and assessment. (App A Objective 2.4.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • A vulnerability management plan is developed and implemented. (PR.IP-12, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • A vulnerability management plan is developed and implemented. (PR.PO-P10, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must document the security categorizations and their rationale in the security plan. (App F § RA-2.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must fully integrate the security authorization process into the risk management program. (App G § PM-10.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The comprehensive information security program must include a way to identify and assess risks, both internal and external, to the confidentiality, integrity, and/or security of all records (paper and electronic). (§ 17.03(3)2, Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • vulnerability management. (§ 500.3 Cybersecurity Policy (o), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)