Organizations should ensure Operating System (OS) and application levels are current. This is necessary to ensure vulnerabilities are patched. Additionally, a Vulnerability Management (VM) & Patching program should be executed to ensure vulnerability scans are performed and system patches are applied on a timely basis.
Expert Opinion - Vulnerability Management
Control Objective
Policy is documented, approved, followed, reviewed, and updated regularly
Scans to be performed prior to & following production launch
Systems must be patched regularly to ensure current OS and application levels
Vulnerability assessments are regularly conducted as part of a program and vulnerabilities must be rated according to criticality
High and critical vulnerabilities must be remediated through patching, decommission, or compensating controls