TVM-07: Vulnerability Identification

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: TVM-02: Vulnerability / Patch Management.

Control Statement

Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly.

Implementation Guidance

The integrated TVM system should track vulnerabilities to closure and report them to build oversight of residual risks. Furthermore, the system should retain information that can be reused in future remediation activities. Organizations should consider establishing an external-facing vulnerability disclosure program to allow external parties to communicate detected vulnerabilities.

Auditing Guidance

  1. Examine policy for adequacy, currency, and effectiveness.
  2. Determine if vulnerability detection is undertaken as required, and at least monthly.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.