TVM-01: Threat and Vulnerability Management Policy and Procedures

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following items from the previous version: GRM-06: Policy, GRM-09: Policy Reviews, TVM-02: Vulnerability / Patch Management.

Control Statement

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to identify, report and prioritize the remediation of vulnerabilities, in order to protect systems against vulnerability exploitation. Review and update the policies and procedures at least annually.

Implementation Guidance

A policy on threat and vulnerability management (TVM) should be established that includes the intent, purpose, and governance of how a CSP or CSC must address threats and vulnerabilities for their respective scope under the SSRM. At a minimum, the policy should specify:

  1. What should be covered under the scope, especially the need to comply with applicable laws, regulations, and contractual requirements.
  2. The frequency of assessments.
  3. The methods that should be used.
  4. How and when assessments and significant vulnerabilities should be reported, including when it’s appropriate to share vulnerability information with customers and business partners.
  5. How reports should be reviewed.
  6. How actions to address relevant risks and opportunities should be tracked to closure.
  7. Approval of CSP native and (where applicable) third-party data/asset protection capabilities and relevant services for use by appropriate CSC authorities.
  8. A well-defined incident response process aligned with an organization's risk tolerance, accompanied by appropriate communication and notifications.
  9. Acceptable periods of remediation of threats in order of severity and criticality of computing infrastructure.
  10. Log review and correlation procedures with appropriate threat intelligence capabilities for log, events, metrics, and incidents (preferably through a centralized service).

Auditing Guidance

  1. Examine policy for adequacy, currency, communication, and effectiveness.
  2. Examine policy and procedures for evidence of review at least annually.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.