List of Controls Supported by Vulnerability Scan Report Fetchers
ZenGRC integrates with several vulnerability scanner applications, such as Qualys, to streamline the assessment of controls that require you to demonstrate that a VM program is in place and running effectively. The following is a list of controls that could be validated by reviewing scan reports fetched into your ZenGRC instance after establishing the connection with the vulnerability management tool of your choice:
Framework | Code | Control Name | Description |
---|---|---|---|
SOC2 2017 | CC7.1 | System Operations | To meet its objectives, the entity uses detection and monitoring procedures to identify: (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities. The following points of focus, specifically related to all engagements using the trust services criteria, highlight important characteristics relating to this criterion: Uses defined Configuration Standards - Management has defined configuration standards. Monitors Infrastructure and Software - The entity monitors infrastructure and software for noncompliance with the standards, which could threaten the achievement of the entity's objectives Implements. Change-Detection Mechanisms - The IT system includes a change-detection mechanism (for example, file integrity monitoring tools) to alert personnel to unauthorized modifications of critical system files, configuration files, or content files. Detects Unknown or Unauthorized Components - Procedures are in place to detect the introduction of unknown or unauthorized components. Conducts Vulnerability Scans - The entity conducts vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after any significant change in the environment and takes action to remediate identified deficiencies on a timely basis. |
CIS CSC v6.1 | 4.1 | Continuous Vulnerability Assessment and Remediation | Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores that compare the effectiveness of system administrators and departments in reducing risk. Use a SCAP-validated vulnerability scanner that looks for both code-based vulnerabilities (such as those described by Common Vulnerabilities and Exposures entries) and configuration-based vulnerabilities (as enumerated by the Common Configuration Enumeration Project). |
CIS CSC v7 | 3.1 | Continuous Vulnerability Management | Establish standard secure configurations of your operating systems and software applications. Standardized images should represent hardened versions of the underlying operating system and the applications installed on the system. These images should be validated and refreshed on a regular basis to update their security configuration in light of recent vulnerabilities and attack vectors. |
CIS CSC v7 | 3.2 | Continuous Vulnerability Management | Follow strict configuration management, building a secure image that is used to build all new systems that are deployed in the enterprise. Any existing system that becomes compromised should be re-imaged with the secure build. Regular updates or exceptions to this image should be integrated into the organization’s change management processes. Images should be created for workstations, servers, and other system types used by the organization. |
CIS CSC v7 | 9.3 | Limitation and Control of Network Ports, Protocols, and Services | Perform automated port scans on a regular basis against all key servers and compared to a known effective baseline. If a change that is not listed on the organization’s approved baseline is discovered, an alert should be generated and reviewed. |
CIS CSC v7 | 12.2 | Boundary Defense | On DMZ networks, configure monitoring systems (which may be built in to the IDS sensors or deployed as a separate technology) to record at least packet header information, and preferably full packet header and payloads of the traffic destined for or passing through the network border. This traffic should be sent to a properly configured Security Information Event Management (SIEM) or log analytics system so that events can be correlated from all devices on the network. |
CS CCM v3.0.1 | IVS-05 | Management - Vulnerability Management | Implementers shall ensure that the security vulnerability assessment tools or services accommodate the virtualization technologies used (e.g. virtualization aware). |
NIST 800r4 | RA-5 | Vulnerability Scanning | The organization: |
NIST800-171r1 | 3.11.2 | Risk Assessment | Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified. |
NIST800-171r1 | 3.11.3 | Risk Assessment | Remediate vulnerabilities in accordance with assessments of risk. |
NIST CSF v1.1 | DE.CM-8 | Security Continuous Monitoring | Vulnerability scans are performed. |
OWASP Top 10 (2017) | A6 | Security Misconfigurations | Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. |
OWASP Top 10 (2017) | A9 | Using Components with Known Vulnerabilities | Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. |
PCI DSS v3.2.1 | 11.2 | Network Vulnerability Scans | Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Multiple scan reports can be combined for the quarterly scan process to show that all systems were scanned and all applicable vulnerabilities have been addressed. Additional documentation may be required to verify non-remediated vulnerabilities are in the process of being addressed. For initial PCI DSS compliance, it is not required that four quarters of passing scans be completed if the assessor verifies 1) the most recent scan result was a passing scan, 2) the entity has documented policies and procedures requiring quarterly scanning, and 3) vulnerabilities noted in the scan results have been corrected as shown in a re-scan(s). For subsequent years after the initial PCI DSS review, four quarters of passing scans must have occurred. |
PCI DSS v3.2.1 | 11.2.1 | Internal Vulnerability Scans | 11.2.1 Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk" vulnerabilities are resolved in accordance with the entity's vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel. |
PCI DSS v3.2.1 | 11.2.2 | External Vulnerability Scans | 11.2.2 Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved. Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SSC). Refer to the ASV Program Guide published on the PCI SSC website for scan customer responsibilities, scan preparation, etc." |
PCI DSS v3.2.1 | 11.2.3 | Internal & External Vulnerability Scans after Changes | 11.2.3 Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel. |
SWIFT CSF (2019) | 2.7 | Vulnerability Scanning | Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. |
FedRAMP (Mod) | RA-5 | Vulnerability Scanning | The organization: RA-5 (e) Additional FedRAMP Requirements and Guidance: to include the Risk Executive; for JAB authorizations to include FedRAMP Common Vulnerability Scoring System (CVSS). Related controls: CA-2, CA-7, CM-4, CM-6, RA-2, RA-3, SA-11, SI-2. |
FFIEC | Category 17 | Threat and Vulnerability Detection | Independent testing (including penetration testing and vulnerability scanning) is conducted according to the risk assessment for external- facing systems and the internal network. (FFIEC Information Security Booklet, page 61) |
Mitre ATT&CK | M1016 | Vulnerability Scanning | Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. |
HIPPA | 164.308(a)(1)(ii)(A) | Risk Management | Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate. |