Threat & Vulnerability Management
TVM domain controls.
Threat and Vulnerability Management Policy and Procedures
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to identify, report and prioritize the remediation of vulnerabilities.
Malware Protection Policy and Procedures
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to protect against malware on managed assets.
Vulnerability Remediation Schedule
Define, implement and evaluate processes, procedures and technical measures to enable both scheduled and emergency responses to vulnerability identifications.
Detection Updates
Define, implement and evaluate processes, procedures and technical measures to update detection tools, threat signatures, and indicators of compromise on a weekly, or more frequent basis.
External Library Vulnerabilities
Define, implement and evaluate processes, procedures and technical measures to identify updates for applications which use third party or open source libraries according to the organization's vulnerability management policy.
Penetration Testing
Define, implement and evaluate processes, procedures and technical measures for the periodic performance of penetration testing by independent third parties and internal teams.
Vulnerability Identification
Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly.
Vulnerability Prioritization
Use a risk-based model for effective prioritization of vulnerability remediation using an industry recognized framework.
Vulnerability Management Reporting
Define and implement a process for tracking and reporting vulnerability identification and remediation activities.
Vulnerability Management Metrics
Establish, monitor and report metrics for vulnerability identification and remediation at defined intervals.