Requirement:
The cybersecurity requirements for technical vulnerabilities management must include at least the following:
Sub-Controls:
2-10-3-1:
Requirement:
Periodic vulnerabilities assessments.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Identify technologies and tools to assess and detect vulnerabilities of information and technology assets
- Install and link vulnerabilities assessment and detection technologies and tools with the organization's information and technology assets
- Develop periodic plan and procedures to inspect and detect vulnerabilities in the information and technology assets in the organization, including:
- Applications
- Devices and servers
- Databases
- Organization's Networks
Expected Deliverables:
- Cybersecurity policy that covers the periodical assessment and detecting vulnerabilities (based on the plan and planned interval specified in the policy) of the following assets:
- Applications
- Devices and servers
- Databases
- Organization's Networks (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such requirements (e.g., via the organization's official e-mail, paper or electronic signature)
- Vulnerabilities management procedures and a periodic plan to assess and detect vulnerabilities
- Periodic reports to assess and detect vulnerabilities
2-10-3-2:
Requirement:
Vulnerabilities classification based on criticality level.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Prepare and review vulnerabilities assessment reports on the information and technology assets in the organization, including the classification of vulnerabilities based on the following:
- Description of vulnerabilities and their exploitative potential and the expected impact of the organization
- Network segmentation
- Classification of vulnerabilities by concerned assets
- Classification of vulnerabilities based on Common Vulnerability Scoring System (CVSS)
Expected Deliverables:
- Cybersecurity policy that covers the vulnerabilities classification mechanism and methodology based on their criticality and cyber risks and based on the organization's network segmentation (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such document (e.g., via the organization's official e-mail, paper or electronic signature)
- Vulnerabilities management procedures that illustrate the classification mechanism
- Vulnerabilities detection and assessment reports indicating the classification of vulnerabilities
2-10-3-3:
Requirement:
Vulnerabilities remediation based on classification and associated risk levels.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Share the organization's information and technology asset vulnerabilities assessment and detection reports with the relevant departments, including but not limited to:
- Application management department
- Workstations' department
- Infrastructure department
- Database management department
- Network department
- Ensure that the reports shared contain:
- Vulnerabilities description
- Name of the relevant assets in which vulnerabilities were assessed and detected
- Vulnerabilities classification
- Cooperate with the concerned departments to determine a time period and a plan to address the vulnerabilities, taking into account the vulnerabilities classification and classification of the relevant assets
- Develop a mechanism to ensure that vulnerabilities are addressed based on the plan
Expected Deliverables:
- Cybersecurity policy that covers plans to address the identified vulnerabilities in the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such document (e.g., via the organization's official e-mail, paper or electronic signature)
- Vulnerability Management Procedure
- Patch Management Procedures
- Vulnerability assessment (before and after remedy)
2-10-3-4:
Requirement:
Security patch management.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Link vulnerabilities management procedures to the security patch management procedures and change procedures
- Analyze vulnerabilities assessment and detection reports to identify the organization's information and technology assets to which security patches must be installed
- Cooperate with the concerned departments to determine a time period and plan to install patches, taking into account the need for updating and classification of the relevant assets
Expected Deliverables:
- Cybersecurity policy and procedures that cover the security patch management requirements to address vulnerabilities. (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such document (e.g., via the organization's official e-mail, paper or electronic signature)
- Vulnerability Management Procedure
- Patch Management Procedures
- Vulnerability assessment (before and after remedy)
2-10-3-5:
Requirement:
Subscription with authorized and trusted cybersecurity resources for up-to-date information and notifications on technical vulnerabilities.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements document and approve them by the representative
- Identify and register with reliable sources regarding alerts for new and updated vulnerabilities. This includes:
- National entities (e.g., NCA, NCSC)
- Suppliers and Information and Technology Asset Manufacturers (OEMs)
- Specialized cybersecurity groups in general and in the organization's sector
- Cybersecurity companies through their tools and technologies
Expected Deliverables:
- Cybersecurity policy that covers this control (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on such document (e.g., via the organization's official e-mail, paper or electronic signature)
- List of communication channels subscribed in to receive alerts on new vulnerabilities
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.