Level 1

Description:

Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and anti-virus signatures. Organizations address flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling. Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) database or Common Vulnerabilities and Exposures (CVE) database in remediating flaws discovered in organizational systems.  Organization-defined time periods for updating security-relevant software and firmware may vary based on a variety of factors including the criticality of the update (i.e., severity of the vulnerability related to the discovered flaw). Some types of flaw remediation may require more testing than other types of remediation.  [SP 800-40] provides guidance on patch management technologies.


Priority: High


Domain:  SYSTEM AND INFORMATION INTEGRITY (SI) 


Category: Vulnerability Management 


Services Associated with AWS:

  1. AWS Security Hub
  2. Amazon Inspector
  3. AWS Config
  4. AWS Systems Manager


Services Associated with Azure: 

  1. Change Control Solution
  2. Patch Management Solution
  3. Configuration Management Database (CMDB)
  4. Azure Update Management
  5. Azure Automation
  6. Azure Monitor


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the maintenance request(s)
  • Administrative: supporting documentation of a Vulnerability & Patch Management Program (VPMP) that addresses corrective maintenance operations
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing maintenance roles
  • Technical: screen shot of Configuration Management Database (CMDB) ticket 

Possible Technology Considerations : 

  • Patch Management Solution
  • Change Control Solution
  • Configuration Management Database (CMDB) 

What needs to be answered?

Are system flaws identified, reported, and corrected within company-defined time periods? Does the company perform all security-relevant software updates (patching, service packs, hot fixes, and anti-virus signature additions) in response to identified system flaws and vulnerabilities within the timeframe specified in policy or within the system security plan? When available, do managers and administrators of the system rely on centralized management of the flaw remediation process, to include the use of automated update software, patch management tools, and automated status scanning? Is the time between flaw identification and flaw remediation measured and compared with benchmarks?


Checks for AWS: 

  • System Flaw Identification Check
    Description: This check verifies that systems affected by software and firmware flaws, including potential vulnerabilities resulting from those flaws, are identified promptly. The check also ensures that these are reported to the appropriate personnel with information security responsibilities.
  • Flaw Remediation Check
    Description: This check ensures that flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling are addressed in a timely manner. It also ensures that any necessary updates, such as patches, service packs, hot fixes, and anti-virus signatures, are installed promptly.
  • Regular Update Check
    Description: This check verifies that security-relevant software and firmware are updated within the organization-defined time periods. It ensures that the criticality of the update is taken into consideration when determining the time frame for installation.


Checks for Azure:

  • System Flaw Identification Check:
    Description: This check validates whether systems affected by software and firmware flaws, along with potential vulnerabilities resulting from those flaws, are promptly identified. It ensures that the identified flaws are reported to the designated personnel with information security responsibilities.
  • Flaw Remediation Check:
    Description: This check verifies that flaws discovered during security assessments, continuous monitoring, incident response activities, and system error handling are addressed in a timely manner. It ensures that appropriate remediation actions are taken, such as applying updates, patches, service packs, hot fixes, or anti-virus signatures, to mitigate the identified flaws.
  • Regular Update Check:
    Description: This check ensures that security-relevant software and firmware updates are installed within the organization-defined time periods. It takes into consideration the criticality of the update and aligns with the policy or system security plan. This check helps maintain a proactive approach to keeping systems up to date with the latest security fixes.
  • Centralized Management Check:
    Description: This check evaluates whether managers and administrators of the system rely on centralized management for flaw remediation. It assesses whether automated update software, patch management tools, and automated status scanning are utilized to streamline the flaw remediation process. This helps ensure efficient and consistent application of updates across the organization's systems.
  • Time Measurement and Benchmark Check:
    Description: This check measures and compares the time between flaw identification and flaw remediation against predefined benchmarks. It helps organizations assess the effectiveness of their flaw remediation processes and identify areas where improvements can be made to reduce the time taken for addressing identified flaws.


More Details:

System flaws identified by employees and monitoring systems resolved by IT support staff as soon as possible.