Sub-Domain | Req. Name | Req. Description |
Governance and Operating Model | Policy | Policy that includes responsibilities related to threat and vulnerability management, reporting, rating criteria, remediation timelines, and escalation/exception processes shall be established |
Governance and Operating Model | Asset Inventory | Asset inventory (to include physical systems, virtual systems, sensitive information) that is to be included in the Vulnerability & Threat management scope shall be maintained. A list of technologies able to monitor for vulnerability impacts shall be maintained |
Reporting and Analysis | Integration with Risk Management | Vulnerabilities for their impact on identified risks shall be analyzed. Technical vulnerabilities shall be aligned with / inform risks in the risk register and the effectiveness of controls |
Reporting and Analysis | Patch Management | Patch management strategy and process shall be defined that outlines recurring patch management activities, defines acceptable implementation timelines, requires bac-kout procedures, tests patches for operational and security implications before deployment, has an exception process for not implementing patches, has a defined emergency patching process |
Vulnerability Testing | Cloud Testing | Regularly scheduled, recurring security testing of the cloud environment shall be conducted. Testing shall follow the cloud provider’s process and guidelines. Client shall require the cloud provider to regularly conduct assessments and remediation and provide attestation of such to client. Client shall review provider attestation on a regular basis.
Client shall: a. Periodically monitor third parties’ compliance with security requirements b. Supervise and monitor outsourced software development c. Periodically monitor and review the services, reports, and records provided by third parties |
Vulnerability Testing | Code Scanning | Code reviews/scanning to identify potential security issues shall be conducted |
Vulnerability Testing | Pre-deployment testing | Security testing before deployment of changes to code or environment shall be conducted |
Vulnerability Testing | Database Testing | Regularly scheduled reviews of database security shall be conducted |
Vulnerability Testing | Penetration Testing (Internal) | Regularly scheduled penetration testing of it’s perimeter and public-facing environment shall be conducted |
Vulnerability Testing | Application Testing | Application reviews/testing to identify potential security issues shall be conducted |
Vulnerability Testing | Tools and Techniques | Vulnerability scanning tools and techniques that shall be deployed to: a. Promote interoperability among tools and accommodate the virtualization technologies used b. Automate parts of the vulnerability management process by using standards for enumerating platforms, software flaws, and improper configurations; formatting and making transparent, checklists and test procedures; measuring vulnerability impact; and readily updating the list of information system vulnerabilities scanned c. Analyze vulnerability scan reports and results from security control assessments. Remediate legitimate high-risk vulnerabilities mitigated within 30 days and moderate risk vulnerabilities within 90 days, in accordance with an organizational assessment of risk d. Share information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies) |
Threat Intelligence | Vulnerability Monitoring of Assets | Regularly scheduled reviews of the Vulnerability Management program and results of vulnerabilities shall be conducted |
Threat Intelligence | Collection and Dissemination of Alerts | Receive information system security alerts, advisories, and directives from designated external organizations from GCP. In addition, the capability shall disseminate security alerts, advisories, and directives to all staff with system administration, monitoring, and/or security responsibilities, and implement security directives in accordance with established time frames. Client shall establish and execute a plan for communicating how, if, and when Client is remediating security issues affecting each customer or with appropriate regulatory entities as needed. Appropriate contacts with special interest groups, relevant authorities, or other specialist security forums and professional associations shall be maintained |
Technical Requirement | OS Support | Unix/Linux/BSD, CISCO IOS, Junos, and Windows scanning shall be supported |
Technical Requirement | Data Protection | Data shall be stored and transmitted securely |
Technical Requirement | Data Access | Access to scanning data shall be restricted to those with a need for it |