Vulnerability and Patch Management
Organizations should ensure Operating System (OS) and application levels are current. This is necessary to ensure vulnerabilities are patched. Additionally, a Vulnerability Management (VM) & Patching program should be executed to ensure vulnerability scans are performed and system patches are applied on a timely basis.
- Policy is documented, approved, followed, reviewed, and updated regularly
- Scans to be performed prior to & following production launch
- Systems must be patched regularly to ensure current OS and application levels
- Vulnerability assessments are regularly conducted as part of a program and vulnerabilities must be rated according to criticality
- High and critical vulnerabilities must be remediated through patching, decommission, or compensating controls