ID.RA-1: Asset vulnerabilities are identified and documented
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
CA-2: Control Assessments
Select the appropriate assessor or assessment team for the type of assessment to be conducted; Develop a control assessment plan that describes the scope of the assessment including: Controls and control enhancements under assessment; Assessment procedures to be used to determine control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Ensure the…
CA-5: Plan of Action and Milestones
Develop a plan of action and milestones for the system to document the planned remediation actions of the organization to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the…
CA-7: Continuous Monitoring
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; Ongoing control assessments in accordance with the continuous…
CA-8: Penetration Testing
Conduct penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined systems or system components].
PM-4: Plan of Action and Milestones Process
Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: Are developed and maintained; Document the remedial information security, privacy, and supply chain risk management actions to adequately respond to risk to organizational operations and assets, individuals, other organizations,…
PM-15: Security and Privacy Groups and Associations
Establish and institutionalize contact with selected groups and associations within the security and privacy communities: To facilitate ongoing security and privacy education and training for organizational personnel; To maintain currency with recommended security and privacy practices, techniques, and technologies; and To share current security and privacy information, including threats, vulnerabilities, and incidents.
RA-3: Risk Assessment
Conduct a risk assessment, including: Identifying threats to and vulnerabilities in the system; Determining the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification, or destruction of the system, the information it processes, stores, or transmits, and any related information; and Determining the likelihood and impact of adverse effects on individuals arising…
RA-5: Vulnerability Monitoring and Scanning
Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards…
SA-5: System Documentation
Obtain or develop administrator documentation for the system, system component, or system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security and privacy functions and mechanisms; and Known vulnerabilities regarding configuration and use of administrative or privileged functions; Obtain or develop user documentation for…
SA-11: Developer Testing and Evaluation
Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: Develop and implement a plan for ongoing security and privacy assessments; Perform [Assignment (one or more): unit, integration, system, regression] testing/evaluation [Assignment: organization-defined frequency] at [Assignment: organization-defined depth and coverage]; Produce evidence of…
SI-2: Flaw Remediation
Identify, report, and correct system flaws; Test software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Install security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and Incorporate flaw remediation into the organizational configuration management process.
SI-4: System Monitoring
1. Strategically within the system to collect organization-determined essential information; and 1. At ad hoc locations within the system to track specific types of transactions of interest to the organization; Monitor the system to detect: Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and Unauthorized local,…
SI-5: Security Alerts, Advisories, and Directives
Receive system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; Generate internal security alerts, advisories, and directives as deemed necessary; Disseminate security alerts, advisories, and directives to: [Assignment (one or more): [Assignment: organization-defined personnel or roles] , [Assignment: organization-defined elements within the organization] , [Assignment: organization-defined external organizations] ];…
NIST Special Publication 800-171 Revision 2
3.11.1: Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI
Clearly defined system boundaries are a prerequisite for effective risk assessments. Such risk assessments consider threats, vulnerabilities, likelihood, and impact to organizational operations, organizational assets, and individuals based on the operation and use of organizational systems. Risk assessments also consider risk from external parties (e.g., service providers, contractors operating systems on behalf of the organization,…
3.11.2: Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified
Organizations determine the required vulnerability scanning for all system components, ensuring that potential sources of vulnerabilities such as networked printers, scanners, and copiers are not overlooked. The vulnerabilities to be scanned are readily updated as new vulnerabilities are discovered, announced, and scanning methods developed. This process ensures that potential vulnerabilities in the system are identified…
3.12.1: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application
Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating…
3.12.3: Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by…
3.14.1: Identify, report, and correct system flaws in a timely manner
Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system…
3.14.3: Monitor system security alerts and advisories and take action in response
There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may…
3.14.6: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks
System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the system. Organizations can monitor systems, for example, by observing audit record activities in real time or by observing…
3.14.7: Identify unauthorized use of organizational systems
System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring…
Cloud Controls Matrix v3.0.1
CCC-03: Quality Testing
Organizations shall follow a defined quality change control and testing process (e.g., ITIL Service Management) with established baselines, testing, and release standards that focus on system availability, confidentiality, and integrity of systems and services.
GRM-02: Data Focus Risk Assessments
Risk assessments associated with data governance requirements shall be conducted at planned intervals and shall consider the following: Awareness of where sensitive data is stored and transmitted across applications, databases, servers, and network infrastructure Compliance with defined retention periods and end-of-life disposal requirements Data classification and protection from unauthorized use, access, loss, destruction, and falsification
GRM-10: Risk Assessments
Aligned with the enterprise-wide framework, formal risk assessments shall be performed at least annually or at planned intervals, (and in conjunction with any changes to information systems) to determine the likelihood and impact of all identified risks using qualitative and quantitative methods. The likelihood and impact associated with inherent and residual risk shall be determined…
TVM-02: Vulnerability / Patch Management
Policies and procedures shall be established, and supporting processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed applications, infrastructure network and system components (e.g., network vulnerability assessment, penetration testing) to ensure the efficiency of implemented security controls. A risk-based model for prioritizing remediation of identified vulnerabilities shall be used. Changes…
Critical Security Controls Version 8
7: Continuous Vulnerability Management
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
NIST Special Publication 800-53 Revision 4
CA-2: Security Assessments
The organization: Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Assesses the security controls in the information system and its environment of operation…
CA-7: Continuous Monitoring
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of [Assignment: organization-defined metrics] to be monitored; Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring; Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; Ongoing security status monitoring…
CA-8: Penetration Testing
The organization conducts penetration testing [Assignment: organization-defined frequency] on [Assignment: organization-defined information systems or system components].
RA-3: Risk Assessment
The organization: Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]]; Reviews risk assessment results [Assignment:…
RA-5: Vulnerability Scanning
The organization: Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using…
SA-5: Information System Documentation
The organization: Obtains administrator documentation for the information system, system component, or information system service that describes: Secure configuration, installation, and operation of the system, component, or service; Effective use and maintenance of security functions/mechanisms; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; Obtains user documentation for the information system, system…
SA-11: Developer Security Testing And Evaluation
The organization requires the developer of the information system, system component, or information system service to: Create and implement a security assessment plan; Perform [Selection (one or more): unit; integration; system; regression] testing/evaluation at [Assignment: organization-defined depth and coverage]; Produce evidence of the execution of the security assessment plan and the results of the security…
SI-2: Flaw Remediation
The organization: Identifies, reports, and corrects information system flaws; Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before installation; Installs security-relevant software and firmware updates within [Assignment: organization-defined time period] of the release of the updates; and Incorporates flaw remediation into the organizational configuration management process.
SI-4: Information System Monitoring
The organization: Monitors the information system to detect: Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and Unauthorized local, network, and remote connections; Identifies unauthorized use of the information system through [Assignment: organization-defined techniques and methods]; Deploys monitoring devices: Strategically within the information system to collect organization-determined essential information; and…
SI-5: Security Alerts, Advisories, And Directives
The organization: Receives information system security alerts, advisories, and directives from [Assignment: organization-defined external organizations] on an ongoing basis; Generates internal security alerts, advisories, and directives as deemed necessary; Disseminates security alerts, advisories, and directives to: [Selection (one or more): [Assignment: organization-defined personnel or roles]; [Assignment: organization-defined elements within the organization]; [Assignment: organization-defined external organizations]];…
Critical Security Controls Version 7.1
3: Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
20: Penetration Tests and Red Team Exercises
Test the overall strength of an organization’s defense (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.