INFRA-9 Vulnerability Scanning

What is this control about?

Vulnerability scanning is the process of identifying security weaknesses and flaws in systems and software running on them. This is an integral component of a vulnerability management program that has one overarching goal – protect the organization from breaches and the exposure of sensitive data.

Available tools in the marketplace

The following listing is “crowdsourced” from our customer base or from external research. TrustCloud does not personally recommend any of the tools below, because we haven’t personally used them. 

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• N/A – no templates recommendation

Control implementation

Note: This control is 100% automated by TrustCloud. Connect your system to enjoy the benefit of automation

For a manual implementation: 

Install a vulnerability scanning tool tool to scan and analyze all vulnerabilities within your infrastructure

• The tool must be configured to run continuously, or on a frequent schedule (schedule is up to each company to determine)
• The tool must be configured to send a notification or alert when issues are found

Implement a formal and repeatable way to resolve any issues identified. The issues must be resolved timely (timeliness is up to each company to define)

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action.

• Provide screenshots configuration settings of the tool showing that it is checking for vulnerabilities
• Provide a remediation ticket or document related to the issues found and action steps taken to remediate the issue

Evidence example

From the suggested action above, an example is provided below.

See screenshots provided for APPS-3. These follow the same patterns