Vulnerability Scanning

class

Management

family

Risk Assessment

number

RA-5

priority

P1

impact

LOW_MODERATE_HIGH

The organization: Scans for vulnerabilities in the information system and hosted applications [ Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process ] and when new vulnerabilities potentially affecting the system/applications are identified and reported; Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting and making transparent, checklists and test procedures; and Measuring vulnerability impact; Analyzes vulnerability scan reports and results from security control assessments; Remediates legitimate vulnerabilities [ Assignment: organization-defined response times ] in accordance with an organizational assessment of risk; and Shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

Comments