The information security office performs weekly vulnerability scanning and reports findings from those scans to information resource custodians. Information resource custodians are allowed thirty (30) days for remediation before the vulnerabilities are reported to the information resource owner and chief information officer for risk determination.
Technical vulnerabilities are exploited to gain inappropriate or unauthorized access to information systems due to lack of controls for those vulnerabilities.
The organization:
a. Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported;
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
1. Enumerating platforms, software flaws, and improper configurations;
2. Formatting checklists and test procedures; and
3. Measuring vulnerability impact;
c. Analyzes vulnerability scan reports and results from security control assessments;
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; and
e. Shares information obtained from the vulnerability scanning process and security control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
The organization has periodic vulnerability scanning processes in place and operational.
The state organization scans for vulnerabilities in the information system at least annually or when significant new vulnerabilities potentially affecting the system are identified and reported.
Obtain risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; vulnerability scanning results; patch and vulnerability management records; vulnerability scanning tools and techniques documentation; other relevant documents or records and ascertain if :
(I)the organization defines in the security plan, explicitly or by reference, the frequency of vulnerability scans within the information system.
(ii)the organization scans for vulnerabilities in the information system in accordance with the organization-defined frequency and/or random in accordance with organizational policy and assessment of risk, or when significant new vulnerabilities potentially affecting the system are identified and reported.
(iii)the organization uses appropriate scanning tools and techniques to conduct the vulnerability scans.
(iv)the organization trains selected personnel in the use and maintenance of vulnerability scanning tools and techniques.
(v)the organization freely shares the information obtained from the vulnerability scanning process with appropriate personnel throughout the organization to help eliminate similar vulnerabilities in other information systems.
(vi) the organization uses vulnerability scanning tools that have the capability to readily update the list of information system vulnerabilities scanned.
