TVM-09: Vulnerability Management Reporting

CSF v1.1 References:

PF v1.0 References:

Previous Version:

Control Statement

Define and implement a process for tracking and reporting vulnerability identification and remediation activities that includes stakeholder notification.

Implementation Guidance

The integrated TVM system should have comprehensive vulnerability tracking capabilities. Capabilities should include when discoveries were made and remediated, systems impacted, reasons for the delay (where applicable), and any communications that may have been made to stakeholders.

Auditing Guidance

  1. Examine policy and procedures related to tracking and reporting of vulnerabilities.
  2. Examine the process to identify stakeholders.
  3. Determine if the process is implemented.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.