Level 2

Description:   

Vulnerabilities discovered, for example, via the scanning conducted in response to 3..2, are remediated with consideration of the related assessment of risk. The consideration of risk influences the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities. 


Priority: High   


Domain:  RISK ASSESSMENT (RA) 


Category: Vulnerability Management 


Services Associated with AWS:   

  • AWS Inspector, AWS Shield, AWS WAF, AWS Security Hub


Services Associated with Azure:

  • Azure Security Center 
  • Azure Key Vault  
  • Azure Automation 
  • Azure Resource Manager (ARM)  


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
  • Administrative: supporting documentation of a prioritized risk register 
  • Administrative: supporting documentation of remediation activities being performed
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the request(s)
  • Technical: screenshot of ITAM or CMDB console 


Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Patch Management Solution 


What needs to be answered :  


Do system owners and company managers upon recognition of any vulnerability provide an action plan for remediation, acceptance, avoidance, or transference of the vulnerability risk? Does the plan include a reasonable time frame for implementation? Are all high vulnerabilities prioritized? Does the Plan of Action call out remedial security actions to mitigate risk to company operations, assets, employees and other organizations? 


Checks for AWS 

  • Remediation of Vulnerabilities Based on Risk Assessments
    Description: This check verifies that identified vulnerabilities, such as those discovered through scanning procedures, are remediated considering the corresponding risk assessments. The consideration of risk is crucial to determine the prioritization of remediation efforts and the extent of resources to be deployed for remediation of specific vulnerabilities.
  • Prioritization of Remediation Efforts Based on Risk Assessment
    Description: This check ensures that the risk assessments guide the prioritization of remediation efforts for identified vulnerabilities. High-risk vulnerabilities should be addressed promptly to mitigate potential threats.
  • Deployment of Resources for Remediation Based on Risk Assessment
    Description: This check confirms that the deployment of resources for remediation of vulnerabilities is proportional to the assessed risk. Greater resources should be committed to high-risk vulnerabilities to ensure rapid and effective remediation.
     

Checks for Azure 

  • Remediation of Vulnerabilities Based on Risk Assessments
    Description: This policy check ensures that identified vulnerabilities, such as those discovered through scanning procedures or risk assessments, are appropriately addressed by the system owners and company managers. The policy should mandate that an action plan is provided for each vulnerability, outlining the steps to remediate, accept, avoid, or transfer the risk. The plan should include a reasonable time frame for implementation based on the assessed risk level.

  • Prioritization of Remediation Efforts Based on Risk Assessment
    Description: This policy check ensures that system owners and company managers prioritize the remediation efforts based on the risk assessments of identified vulnerabilities. High-risk vulnerabilities should be addressed with higher priority, and the plan of action should specify the sequence of remediation tasks based on their risk levels.

  • Deployment of Resources for Remediation Based on Risk Assessment
    Description: This policy check validates that the deployment of resources for the remediation of vulnerabilities is commensurate with the assessed risk. System owners and company managers should allocate sufficient resources to address high-risk vulnerabilities promptly and effectively. The policy should require documentation of the resource allocation plan.

  • Regular Risk Assessment and Policy/Training Updates
    Description: This policy check ensures that regular risk assessments are performed to identify vulnerabilities and their associated risks. The policy should require system owners and company managers to update their policies and training materials based on the assessment results to reflect the evolving threat landscape.


More Details:   

Regular assessments of risk performed and policies/training updated based on assessment results.