Security Control 4:
Continuous Vulnerability Assessment and Remediation

Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours.

Key: REQ = Required, REC = Recommended, OPT = Optional

IDDetailsHighMedLow

4.1

Run automated vulnerability scanning tools against all systems on the network at least quarterly. Any vulnerability identified should be remediated in a timely manner, with critical vulnerabilities fixed or temporarily mitigated within 48 hours.

[additional details]

Where feasible, vulnerability scanning should occur more frequently (e.g., weekly) using an up-to-date vulnerability scanning tool.

REQ REQ REC

4.2

Critical patches must be evaluated in a test environment before being pushed into production.

[additional details]

If such patches break critical business applications on test machines, devise other mitigating controls that block exploitation on systems where the patch cannot be deployed.

REQ REQ REC

4.3

Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or documenting and accepting a reasonable business risk.

REQ REQ REC

4.4

During a vulnerability scan, compare services (ports) that are listening on each machine against a list of authorized services.

REQ REQ REC

4.5

Event logs should be correlated with information from vulnerability scans.

[additional details]

This fulfills two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools themselves is logged. Second, personnel should verify that discovered vulnerabilities have not been previously exploited.

REQ REQ REC

4.6

Deploy automated patch management tools and software update tools for operating system and third-party software on all systems.

REQ REQ OPT

4.7

Ensure that all vulnerability scanning is performed in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested.

REC OPT OPT

Additional Reading