Identify, report, and correct information and information system flaws in a timely manner.

All software and firmware have potential flaws. Information system flaws generally refer to security vulnerabilities in software and operating systems. Hackers can exploit software vulnerabilities to access your systems and data. Software vendors work to remedy those flaws by releasing vulnerability information and updates to their software. Install software security updates to remediate vulnerabilities.

Identify systems that are missing security updates. This includes your workstations, servers, and network devices. Install the missing updates onto the identified systems. Going forward, install security updates when they released. It is always a good idea to test updates before deploying them to all your systems. You must have a process to review relevant vendor notifications and updates about vulnerabilities. After reviewing the information, the you must implement a patch management process to remediate the vulnerabilities. You must define the time frames within which flaws are identified, reported, and corrected for all systems.