Control Summary
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimise, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Why is it needed?
In the ever-evolving landscape of cybersecurity, defenders face persistent challenges posed by adversaries who relentlessly seek vulnerabilities within their infrastructure to exploit and gain unauthorised access. To effectively thwart these threats, defenders must have access to up-to-date threat intelligence encompassing software updates, patches, security advisories, and threat bulletins, among other resources. Regularly scrutinising their environment to proactively identify these vulnerabilities before attackers do is paramount. Managing vulnerabilities is an ongoing endeavor that demands a significant allocation of time, attention, and resources.
Attackers are privy to the same information and often possess the agility to exploit vulnerabilities more swiftly than an enterprise can address them through remediation efforts. Recognising that there exists a time gap between the discovery of a vulnerability and its subsequent patching, defenders must employ a strategic approach to prioritise which vulnerabilities are most detrimental to the enterprise or are likely to be exploited first due to their ease of exploitation. This prioritisation helps defenders make informed decisions and allocate resources where they are needed most to safeguard their organisation’s digital assets.
Implementing Control
Meeting this control at a basic level initially requires establishing and maintaining a vulnerability management and remediation process. This process should encompass the assessment of new threats, a strong prioritisation method, and action steps and accountability for remediation.
Implementation Group 1 requires the following four safeguards:
7.1 Establish and Maintain a Vulnerability Management Process
Develop and sustain a documented vulnerability management procedure for enterprise assets. Periodically review and update the documentation on an annual basis or whenever significant changes to the business occur that might affect this safeguard.
7.2 Establish and Maintain a Remediation Process
Create and uphold a risk-focused remediation approach documented within a remediation process, subject to monthly reviews or more frequent assessments.
7.3 Perform Automated Operating System Patch Management
Conduct automated patch management for operating system updates on enterprise assets, with a frequency of at least monthly or more frequent as needed.
7.4 Perform Automated Application Patch Management
Conduct application updates for enterprise assets using automated patch management, ensuring a frequency of at least monthly or more frequent as required.
Additional safeguards at level 2 or 3:
7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
7.7 Remediate Detected Vulnerabilities
Incident Response Solutions 