TVM-08: Vulnerability Prioritization

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: TVM-02: Vulnerability / Patch Management.

Control Statement

Use a risk-based model for effective prioritization of vulnerability remediation using an industry recognized framework.

Implementation Guidance

Vulnerabilities should be prioritized in terms of their relative risk, importance, organizational impact, and urgency. When evaluating impact, consider exposure levels to applicable threats from the organization’s specific usage and/or implementation. When evaluating importance, consider the criticality and value of the affected assets. Finally, when assessing urgency, consider the Common Vulnerability Scoring System (CVSS) ratings and timeframes, the relevance to current and ongoing threats, and the effort required for remediation.

Auditing Guidance

  1. Examine policy and procedures related to prioritization of vulnerabilities detected.
  2. Determine if an industry recognized or widely used framework is implemented.
  3. Examine how the output of risk assessment of the vulnerabilities is used to inform prioritization of remediation.
  4. Determine if the process is evaluated for effectiveness.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.