TVM: Threat & Vulnerability Management

Controls

TVM-01: Threat and Vulnerability Management Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to identify, report and prioritize the remediation of vulnerabilities, in order to protect systems against vulnerability exploitation. Review and update the policies and procedures at least annually.

TVM-02: Malware Protection Policy and Procedures

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect against malware on managed assets. Review and update the policies and procedures at least annually.

TVM-03: Vulnerability Remediation Schedule

Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk.

TVM-04: Detection Updates

Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.

TVM-05: External Library Vulnerabilities

Define, implement and evaluate processes, procedures and technical measures to identify updates for applications which use third party or open source libraries according to the organization's vulnerability management policy.

TVM-06: Penetration Testing

Define, implement and evaluate processes, procedures and technical measures for the periodic performance of penetration testing by independent third parties.

TVM-07: Vulnerability Identification

Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly.