Vulnerability Management

The cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities (generally in software).

Cloud Controls Matrix (CCM) Data

Array

IS-20 | Information Security | Vulnerability / Patch Management

Control Specification +-

Policies and procedures shall be established and mechanism implemented for vulnerability and patch management, ensuring that application, system, and network device vulnerabilities are evaluated and vendor-supplied security patches applied in a timely manner taking a risk-based approach for prioritizing critical patches.

Architectural Relevance +-

PhysicalNetworkComputeAppData
False True True True False

Corp Gov Relevance +-

Corp Gov Relevance
True

Cloud Service Delivery Model Applicability +-

SaaSPaaSIaaS
True True True

Supplier Relationship +-

Service ProviderTenant / Consumer
True False

Scope Applicability +-

COBIT 4.1HIPAA / HITECH ActISO/IEC 27001-2005

AI6.1
AI3.3
DS5.9

45 CFR 164.308 (a)(1)(i)(ii)(A)
45 CFR 164.308 (a)(1)(i)(ii)(B)
45 CFR 164.308 (a)(5)(i)(ii)(B)

A.12.5.1
A.12.5.2
A.12.6.1

NIST SP800-53 R3FedRAMP (Final 2012) Low ImpactFedRAMP (Final 2012) Moderate ImpactPCI DSS v2.0

CM-3
CM-4
CP-10
RA-5
SA-7
SI-1
SI-2
SI-5

NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 RA-5
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-5

NIST SP 800-53 R3 CM-3
NIST SP 800-53 R3 CM-3 (2)
NIST SP 800-53 R3 CM-4
NIST SP 800-53 R3 RA-5
NIST SP 800-53 R3 RA-5 (1)
NIST SP 800-53 R3 RA-5 (2)
NIST SP 800-53 R3 RA-5 (3)
NIST SP 800-53 R3 RA-5 (6)
NIST SP 800-53 R3 RA-5 (9)
NIST SP 800-53 R3 SI-1
NIST SP 800-53 R3 SI-2
NIST SP 800-53 R3 SI-2 (2)
NIST SP 800-53 R3 SI-4
NIST SP 800-53 R3 SI-5

2.2
6.1
6.2
6.3.2
6.4.5
6.5
6.6
11.2
11.2.1
11.2.2
11.2.3

BITS Shared Assessments SIG v6.0BITS Shared Assessments SIG v5.0GAPP (Aug 2009)

G.15.2, I.3

I.4

1.2.6
8.2.7

Jericho ForumNERC CIP

Commandment #4
Commandment #5

CIP-004-3 R4 - 4.1 - 4.2
CIP-005-3a - R1 - R1.1
CIP-007-3 - R3 - R3.1 - R8.4

Array

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-20.1

Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 AI6.1
COBIT 4.1 AI3.3
COBIT 4.1 DS5.9

45 CFR 164.308 (a)(1)(i)(ii)(A)
45 CFR 164.308 (a)(1)(i)(ii)(B)
45 CFR 164.308 (a)(5)(i)(ii)(B)

A.12.5.1
A.12.5.2
A.12.6.1

NIST SP800-53 R3 CM-3
NIST SP800-53 R3 CM-4
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 RA-5
NIST SP800-53 R3 SA-7
NIST SP800-53 R3 SI-1
NIST SP800-53 R3 SI-2
NIST SP800-53 R3 SI-5

FedRAMPPCI_DSSBITSGAPP

PCI-DSS v2.0 2.2
PCI-DSS v2.0 6.1
PCI-DSS v2.0 6.2
PCI-DSS v2.0 6.3.2
PCI-DSS v2.0 6.4.5
PCI-DSS v2.0 6.5.X
PCI-DSS v2.0 6.6
PCI-DSS v2.0 11.2
PCI-DSS v2.0 11.2.1
PCI-DSS v2.0 11.2.2
PCI-DSS v2.0 11.2.3

AUP v5.0 I.4 SIG v6.0: G.15.2, I.3

GAPP Ref 1.2.6
GAPP Ref 8.2.7

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-20.2

Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 AI6.1
COBIT 4.1 AI3.3
COBIT 4.1 DS5.9

45 CFR 164.308 (a)(1)(i)(ii)(A)
45 CFR 164.308 (a)(1)(i)(ii)(B)
45 CFR 164.308 (a)(5)(i)(ii)(B)

A.12.5.1
A.12.5.2
A.12.6.1

NIST SP800-53 R3 CM-3
NIST SP800-53 R3 CM-4
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 RA-5
NIST SP800-53 R3 SA-7
NIST SP800-53 R3 SI-1
NIST SP800-53 R3 SI-2
NIST SP800-53 R3 SI-5

FedRAMPPCI_DSSBITSGAPP

PCI-DSS v2.0 2.2
PCI-DSS v2.0 6.1
PCI-DSS v2.0 6.2
PCI-DSS v2.0 6.3.2
PCI-DSS v2.0 6.4.5
PCI-DSS v2.0 6.5.X
PCI-DSS v2.0 6.6
PCI-DSS v2.0 11.2
PCI-DSS v2.0 11.2.1
PCI-DSS v2.0 11.2.2
PCI-DSS v2.0 11.2.3

AUP v5.0 I.4 SIG v6.0: G.15.2, I.3

GAPP Ref 1.2.6
GAPP Ref 8.2.7

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-20.3

Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 AI6.1
COBIT 4.1 AI3.3
COBIT 4.1 DS5.9

45 CFR 164.308 (a)(1)(i)(ii)(A)
45 CFR 164.308 (a)(1)(i)(ii)(B)
45 CFR 164.308 (a)(5)(i)(ii)(B)

A.12.5.1
A.12.5.2
A.12.6.1

NIST SP800-53 R3 CM-3
NIST SP800-53 R3 CM-4
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 RA-5
NIST SP800-53 R3 SA-7
NIST SP800-53 R3 SI-1
NIST SP800-53 R3 SI-2
NIST SP800-53 R3 SI-5

FedRAMPPCI_DSSBITSGAPP

PCI-DSS v2.0 2.2
PCI-DSS v2.0 6.1
PCI-DSS v2.0 6.2
PCI-DSS v2.0 6.3.2
PCI-DSS v2.0 6.4.5
PCI-DSS v2.0 6.5.X
PCI-DSS v2.0 6.6
PCI-DSS v2.0 11.2
PCI-DSS v2.0 11.2.1
PCI-DSS v2.0 11.2.2
PCI-DSS v2.0 11.2.3

AUP v5.0 I.4 SIG v6.0: G.15.2, I.3

GAPP Ref 1.2.6
GAPP Ref 8.2.7

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-20.4

Will you make the results of vulnerability scans available to tenants at their request?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 AI6.1
COBIT 4.1 AI3.3
COBIT 4.1 DS5.9

45 CFR 164.308 (a)(1)(i)(ii)(A)
45 CFR 164.308 (a)(1)(i)(ii)(B)
45 CFR 164.308 (a)(5)(i)(ii)(B)

A.12.5.1
A.12.5.2
A.12.6.1

NIST SP800-53 R3 CM-3
NIST SP800-53 R3 CM-4
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 RA-5
NIST SP800-53 R3 SA-7
NIST SP800-53 R3 SI-1
NIST SP800-53 R3 SI-2
NIST SP800-53 R3 SI-5

FedRAMPPCI_DSSBITSGAPP

PCI-DSS v2.0 2.2
PCI-DSS v2.0 6.1
PCI-DSS v2.0 6.2
PCI-DSS v2.0 6.3.2
PCI-DSS v2.0 6.4.5
PCI-DSS v2.0 6.5.X
PCI-DSS v2.0 6.6
PCI-DSS v2.0 11.2
PCI-DSS v2.0 11.2.1
PCI-DSS v2.0 11.2.2
PCI-DSS v2.0 11.2.3

AUP v5.0 I.4 SIG v6.0: G.15.2, I.3

GAPP Ref 1.2.6
GAPP Ref 8.2.7

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-20.5

Do you have a capability to rapidly patch vulnerabilities across all of your computing devices, applications, and systems?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 AI6.1
COBIT 4.1 AI3.3
COBIT 4.1 DS5.9

45 CFR 164.308 (a)(1)(i)(ii)(A)
45 CFR 164.308 (a)(1)(i)(ii)(B)
45 CFR 164.308 (a)(5)(i)(ii)(B)

A.12.5.1
A.12.5.2
A.12.6.1

NIST SP800-53 R3 CM-3
NIST SP800-53 R3 CM-4
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 RA-5
NIST SP800-53 R3 SA-7
NIST SP800-53 R3 SI-1
NIST SP800-53 R3 SI-2
NIST SP800-53 R3 SI-5

FedRAMPPCI_DSSBITSGAPP

PCI-DSS v2.0 2.2
PCI-DSS v2.0 6.1
PCI-DSS v2.0 6.2
PCI-DSS v2.0 6.3.2
PCI-DSS v2.0 6.4.5
PCI-DSS v2.0 6.5.X
PCI-DSS v2.0 6.6
PCI-DSS v2.0 11.2
PCI-DSS v2.0 11.2.1
PCI-DSS v2.0 11.2.2
PCI-DSS v2.0 11.2.3

AUP v5.0 I.4 SIG v6.0: G.15.2, I.3

GAPP Ref 1.2.6
GAPP Ref 8.2.7

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True

Consensus Assessments Initiative Questionnaire (CAIQ) Data

Information Security (IS) | ID #IS-20.6

Will you provide your risk-based systems patching timeframes to your tenants upon request?

Compliance Mapping +-

COBITHIPAAISO27001SP800_53

COBIT 4.1 AI6.1
COBIT 4.1 AI3.3
COBIT 4.1 DS5.9

45 CFR 164.308 (a)(1)(i)(ii)(A)
45 CFR 164.308 (a)(1)(i)(ii)(B)
45 CFR 164.308 (a)(5)(i)(ii)(B)

A.12.5.1
A.12.5.2
A.12.6.1

NIST SP800-53 R3 CM-3
NIST SP800-53 R3 CM-4
NIST SP800-53 R3 CP-10
NIST SP800-53 R3 RA-5
NIST SP800-53 R3 SA-7
NIST SP800-53 R3 SI-1
NIST SP800-53 R3 SI-2
NIST SP800-53 R3 SI-5

FedRAMPPCI_DSSBITSGAPP

PCI-DSS v2.0 2.2
PCI-DSS v2.0 6.1
PCI-DSS v2.0 6.2
PCI-DSS v2.0 6.3.2
PCI-DSS v2.0 6.4.5
PCI-DSS v2.0 6.5.X
PCI-DSS v2.0 6.6
PCI-DSS v2.0 11.2
PCI-DSS v2.0 11.2.1
PCI-DSS v2.0 11.2.2
PCI-DSS v2.0 11.2.3

AUP v5.0 I.4 SIG v6.0: G.15.2, I.3

GAPP Ref 1.2.6
GAPP Ref 8.2.7

Model Applicability +-

SaaSPaaSIaaS
True True True

Scope Applicability +-

SPCUST
True True