3.3.17 Vulnerability Management
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Principle
The Member Organization should define, approve and implement a vulnerability management process for the identification and mitigation of application and infrastructural vulnerabilities. The effectiveness of this process should be measured and the effectiveness should be periodically evaluated.
Objective
To ensure timely identification and effective mitigation of application and infrastructure vulnerabilities in order to reduce the likelihood and business impact for the Member Organization.
Control considerations
| 1. | The vulnerability management process should be defined, approved and implemented. | |
| 2. | The effectiveness of the vulnerability management process should be measured and periodically evaluated. | |
| 3. | The vulnerability management process should include: | |
| a. | all information assets; | |
| b. | frequency of performing the vulnerability scan (risk-based); | |
| c. | classification of vulnerabilities; | |
| d. | defined timelines to mitigate (per classification); | |
| e. | prioritization for classified information assets; | |
| f. | patch management and method of deployment. | |