Security Control 4:
Continuous Vulnerability Assessment and Remediation
Proactively identify and repair software vulnerabilities reported by security researchers or vendors: Regularly run automated vulnerability scanning tools against all systems and quickly remediate any vulnerabilities, with critical problems fixed within 48 hours.
Key: REQ = Required, REC = Recommended, OPT = Optional
ID | Details | High | Med | Low |
---|---|---|---|---|
4.1 |
Run automated vulnerability scanning tools against all systems on the network at least quarterly. Any vulnerability identified should be remediated in a timely manner, with critical vulnerabilities fixed or temporarily mitigated within 48 hours. Where feasible, vulnerability scanning should occur more frequently (e.g., weekly) using an up-to-date vulnerability scanning tool. |
REQ | REQ | REC |
4.2 |
Critical patches must be evaluated in a test environment before being pushed into production. If such patches break critical business applications on test machines, devise other mitigating controls that block exploitation on systems where the patch cannot be deployed. |
REQ | REQ | REC |
4.3 |
Compare the results from back-to-back vulnerability scans to verify that vulnerabilities were addressed either by patching, implementing a compensating control, or documenting and accepting a reasonable business risk. |
REQ | REQ | REC |
4.4 |
During a vulnerability scan, compare services (ports) that are listening on each machine against a list of authorized services. |
REQ | REQ | REC |
4.5 |
Event logs should be correlated with information from vulnerability scans. This fulfills two goals. First, personnel should verify that the activity of the regular vulnerability scanning tools themselves is logged. Second, personnel should verify that discovered vulnerabilities have not been previously exploited. |
REQ | REQ | REC |
4.6 |
Deploy automated patch management tools and software update tools for operating system and third-party software on all systems. |
REQ | REQ | OPT |
4.7 |
Ensure that all vulnerability scanning is performed in authenticated mode either with agents running locally on each end system to analyze the security configuration or with remote scanners that are given administrative rights on the system being tested. |
REC | OPT | OPT |