ISO 27001 Annex: A.12.6 Technical Vulnerability Management

It aims to prevent exploiting technological vulnerabilities.

A.12.6.1 Management of Technical Vulnerabilities

Control

Information on technological vulnerabilities of information systems used should be obtained promptly, evaluate the risk exposure of the organization to such vulnerabilities, and take measures to mitigate that risk.

Implementation Guidance

To effectively manage technical vulnerability, an asset inventory must be current and comprehensive (refer to Clause 8). Information such as the manufacturer, version number, the current status of installation (e.g. which software is installed on which systems), and the person(s) responsible within the organization for the software are all vital to ensuring technological vulnerability management.

As soon as potential vulnerabilities are identified, appropriate and timely action should be taken.

Here is a list of guidelines that you should follow to establish a technical vulnerability management process:

1. It is critical that organizations define and specify technical vulnerability management functions, which include asset monitoring, risk assessments of vulnerabilities, asset patching, asset tracking, and any necessary coordination tasks.
2. Informational resources aimed at identifying and raising awareness about technical vulnerabilities for the software and other technology (based on adjustments to the inventory, Reference 8.1.1), to be updated as the inventory changes, and other new resources may be included as well;
3. Defining a timeline for responding to notifications of potential technical vulnerabilities;
4. When a potential technological weakness has been identified, the organization will act to mitigate the risks; measures may include patching compromised software, or instituting other controls;
5. Depending on the degree to which a technical problem needs to be resolved, actions should be taken based on incident response procedures and change management protocols in information security.
6. An analysis of the risk of installing a patch (comparing risks raised by the vulnerability with the risk of installing the patch) should be performed if a patch is available from a valid source;
7. The patch must be reviewed and checked before it is downloaded so that it is safe and does not cause any adverse effects; additional tests may include:
– Disabling vulnerability-related services or capabilities;
– Implementing or upgrading net-boundary access control mechanisms, such as firewalls;
– Improved surveillance of real-world threats;
– Increasing vulnerability awareness;
8. Audit logs should be maintained for all procedures undertaken;
9. Due to its extensive and intricate nature, technical vulnerability management is a process that must be regularly monitored and assessed to be efficient and effective;
10. Priority should be given to high-risk systems
11. To relay vulnerability information to the incident response mechanism and provide appropriate procedures in the event an incident occurs, incident management activities must be compatible with effective technical vulnerability management processes;
12. Establishing a process for addressing vulnerabilities, when no effective countermeasures are available. When dealing with such a vulnerability, the organization should assess the risks that accompany it and develop appropriate detective and corrective measures.

Other Information

Technical vulnerability management is an essential part of change management and can be beneficially incorporated into the process.

Moreover, vendors need to release patches in a timely fashion under significant stress. As a result, a patch does not adequately resolve the problem and is associated with negative side effects. The possibility exists, therefore. It is sometimes difficult to uninstall a patch once it has been applied.

If it is not possible to test patches adequately, for example, because of cost or resource shortages, the associated risks can be evaluated based on the experience of other users. Using ISO / IEC 27031 might be helpful.

A.12.6.2 Restrictions on Software Installation

Control

Software installation should be governed by rules set by the user.

Implementation Guidance

The organization must enact strict guidelines on what type of software users they may develop.

The concept of less privilege would be followed. The software can be installed by users if certain permissions are granted. Identifies the types of software that are permitted to be installed (such as software updates or security patches) and those that are prohibited (such as software solely for personal use or software suspected of being malicious). Depending on the role of the users, these privileges should be granted.

Other Information

Uncontrolled installation of software on computer systems may result in vulnerabilities, compromise of data integrity and infringing on intellectual property.

Related Questions

1. How should a vulnerable system be remedied?
2. What is the best way to implement a vulnerability management program?
2. How do vulnerability management processes work?
4. How do you conduct a vulnerability assessment?
5. Which controls are included in ISO 27001 Annex: A.12.6 Technical Vulnerability Management?