TVM-03: Vulnerability Remediation Schedule

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications, based on the identified risk.

Implementation Guidance

An integrated TVM system should be implemented that can maintain records of threats and vulnerabilities found over time and the result of their mitigation actions. The Integrated TVM system should be used to mitigate all future risks, by leveraging the previous experiences of the mitigation activities. A full remediation schedule should be considered. The schedule should classify and prioritize vulnerabilities in order of their severity and threat to the environment, aligned to the expectations of TVM Policy. Vulnerability remediation schedules should be approved and communicated to all relevant stakeholders (and included in SLA's).

Auditing Guidance

  1. Examine policy for adequacy, currency, and effectiveness.
  2. Determine if technical measures are evaluated for effectiveness.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.