Back to T7.7.1 - P1 - CONTROL OF TECHNICAL VULNERABILITIES
As a prerequisite, a current and complete inventory of assets is needed (including software vendor, version numbers, current state of deployment, and the person(s) within the entity responsible for the software).
The following guidance should be followed to establish an effective management process for technical vulnerabilities:
- A. The entity should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment (see M2.2), patching, asset tracking, and any coordination responsibilities required
- B. The entity should identify information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology (based on the asset inventory list); these information resources should be updated based on changes in the inventory, or when other new or useful resources are found
- C. The entity should define a timeline to react to notifications of potentially relevant technical vulnerabilities
- D. The entity should identify the risks associated to potential technical vulnerability and the actions to be taken; such action could involve patching of vulnerable systems and/or applying other controls
- E. Depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management or by following information security incident response procedures
- F. If a patch is available, the risks associated with installing the patch should be assessed (the risks posed by the vulnerability should be compared with the risk of installing the patch)
