Description:   

Vulnerabilities discovered, for example, via the scanning conducted in response to 3..2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. 


Priority: High   


Category: Vulnerability Management 


Services Associated with AWS:   

  • AWS Inspector, AWS Shield, AWS WAF, AWS Security Hub


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
  • Administrative: supporting documentation of a prioritized risk register 
  • Administrative: supporting documentation of remediation activities being performed
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
  • Technical: screenshot of ITAM or CMDB console 


Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Patch Management Solution 


What needs to be answered :  


Do system owners and company managers upon recognition of any vulnerability provide an action plan for remediation, acceptance, avoidance, or transference of the vulnerability risk? Does the plan include a reasonable time frame for implementation? Are all high vulnerabilities prioritized? Does the Plan of Action call out remedial security actions to mitigate risk to company operations, assets, employees and other organizations? 

  • Remediation of Vulnerabilities Based on Risk Assessments
    Description: This check verifies that identified vulnerabilities, such as those discovered through scanning procedures, are remediated considering the corresponding risk assessments. The consideration of risk is crucial to determine the prioritization of remediation efforts and the extent of resources to be deployed for remediation of specific vulnerabilities.
  • Prioritization of Remediation Efforts Based on Risk Assessment
    Description: This check ensures that the risk assessments guide the prioritization of remediation efforts for identified vulnerabilities. High-risk vulnerabilities should be addressed promptly to mitigate potential threats.
  • Deployment of Resources for Remediation Based on Risk Assessment
    Description: This check confirms that the deployment of resources for remediation of vulnerabilities is proportional to the assessed risk. Greater resources should be committed to high-risk vulnerabilities to ensure rapid and effective remediation.
     


More Details:   

Regular assessments of risk performed and policies/training updated based on assessment results.