When it comes to cybersecurity, vulnerability management is one of the older technologies that still play a critical role in securing our assets. It is often overlooked, disregarded, or considered only for checkbox compliance needs, but a proper vulnerability management program can play a critical role in avoiding a series data breach. CIS Control 07 provides the minimum requirements, table stakes if you will, for establishing a successful vulnerability management program.

Key Takeaways for Control 7

At the core of CIS Control 7 is a reliance on known standards; terms from organizations like NIST and MITRE, that those of us in the cybersecurity space have heard for years. CVE, CVSS, OVAL, SCAP, and more are keywords that can be found throughout this document. While those terms frequent this document, it is important to note that they are not the be-all and end-all of a vulnerability management program. The controls document notes that some systems, like CVSS, must be augmented by additional data. This is an important note to consider when planning continuous vulnerability management.

The biggest takeaway from Control 7 is that if a vulnerability is patched, it cannot be exploited. This is why the process is critical and becomes a continuous cycle:

  • Discover vulnerabilities
  • Prioritize vulnerabilities
  • Resolve vulnerabilities
  • Repeat

This control also serves as a great reminder for what vulnerability management is not. It should not be a reactionary process for 0-day vulnerabilities. You have other controls to help you mitigate that. Instead, this control is focused on reducing the known risk in your environment, something that many organizations often forget.

Safeguards for Control 7

Establish and Maintain a Vulnerability Management Process

Description: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact (Read more...)