TVM-10: Vulnerability Management Metrics

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Establish, monitor and report metrics for vulnerability identification and remediation at defined intervals.

Implementation Guidance

The integrated TVM system should be used to collect and report metrics about the vulnerability management program. Metrics should demonstrate the coverage, efficacy, and efficiency of operational TVM activities.

Auditing Guidance

  1. Verify that metrics have been established to measure vulnerabilities.
  2. Examine the process for reporting metrics, including identification of recipients.
  3. Determine if reports are sent at the defined intervals.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.