Vulnerabilities discovered, for example, via the scanning conducted in response to 3..2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. 

Priority: High   

Category: Vulnerability Management 

Services Associated with AWS:   

  • AWS Inspector, AWS Shield, AWS WAF, AWS Security Hub

Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
  • Administrative: supporting documentation of a prioritized risk register 
  • Administrative: supporting documentation of remediation activities being performed
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
  • Technical: screenshot of ITAM or CMDB console 

Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Patch Management Solution 

What needs to be answered :  

Do system owners and company managers upon recognition of any vulnerability provide an action plan for remediation, acceptance, avoidance, or transference of the vulnerability risk? Does the plan include a reasonable time frame for implementation? Are all high vulnerabilities prioritized? Does the Plan of Action call out remedial security actions to mitigate risk to company operations, assets, employees and other organizations? 

  • Remediation of Vulnerabilities Based on Risk Assessments
    Description: This check verifies that identified vulnerabilities, such as those discovered through scanning procedures, are remediated considering the corresponding risk assessments. The consideration of risk is crucial to determine the prioritization of remediation efforts and the extent of resources to be deployed for remediation of specific vulnerabilities.
  • Prioritization of Remediation Efforts Based on Risk Assessment
    Description: This check ensures that the risk assessments guide the prioritization of remediation efforts for identified vulnerabilities. High-risk vulnerabilities should be addressed promptly to mitigate potential threats.
  • Deployment of Resources for Remediation Based on Risk Assessment
    Description: This check confirms that the deployment of resources for remediation of vulnerabilities is proportional to the assessed risk. Greater resources should be committed to high-risk vulnerabilities to ensure rapid and effective remediation.

More Details:   

Regular assessments of risk performed and policies/training updated based on assessment results.