Description:
Vulnerabilities discovered, for example, via the scanning conducted in response to 3..2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.
Priority: High
Category: Vulnerability Management
Services Associated with AWS:
- AWS Inspector, AWS Shield, AWS WAF, AWS Security Hub
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
- Administrative: supporting documentation of a prioritized risk register
- Administrative: supporting documentation of remediation activities being performed
- Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
- Technical: screenshot of ITAM or CMDB console
Possible Technology Considerations :
- Secure Baseline Configurations (SBC)
- Patch Management Solution
What needs to be answered :
Do system owners and company managers upon recognition of any vulnerability provide an action plan for remediation, acceptance, avoidance, or transference of the vulnerability risk? Does the plan include a reasonable time frame for implementation? Are all high vulnerabilities prioritized? Does the Plan of Action call out remedial security actions to mitigate risk to company operations, assets, employees and other organizations?
- Remediation of Vulnerabilities Based on Risk Assessments
Description: This check verifies that identified vulnerabilities, such as those discovered through scanning procedures, are remediated considering the corresponding risk assessments. The consideration of risk is crucial to determine the prioritization of remediation efforts and the extent of resources to be deployed for remediation of specific vulnerabilities. - Prioritization of Remediation Efforts Based on Risk Assessment
Description: This check ensures that the risk assessments guide the prioritization of remediation efforts for identified vulnerabilities. High-risk vulnerabilities should be addressed promptly to mitigate potential threats. - Deployment of Resources for Remediation Based on Risk Assessment
Description: This check confirms that the deployment of resources for remediation of vulnerabilities is proportional to the assessed risk. Greater resources should be committed to high-risk vulnerabilities to ensure rapid and effective remediation.
More Details:
Regular assessments of risk performed and policies/training updated based on assessment results.