WHAT VULNERABILITY COMPLIANCE AND WHY IS IT IMPORTANT?
About This Control
Summary: Vulnerability Compliance is the process of identifying and remediating security weaknesses across the organization within the expected service level agreements (SLAs) or due dates.
Purpose: Vulnerability compliance is necessary for multiple reasons:
Identifying weaknesses in systems helps proactively fix these vulnerabilities before malicious actors can find and exploit them.
Closing security gaps on the network to prevent attackers from exploiting them.
Implementation Guidance: The vulnerability compliance dashboard allows the user to define SLAs based on the CVSS Severity (Critical, High, Medium, or Low), but it also supports defining to SLA requirement if the organization’s security policy does not set an SLA for the lower severity levels such as Medium or Low. The dashboard also supports defining an SLA on some other attribute besides Severity, such as setting a specific SLA for domain controllers, or devices in a certain environment or with a certain criticality.
Why It Matters
Unpatched vulnerabilities are a common attack patch for malicious actors, so compliance with organizational SLAs for remediation is an essential cyber hygiene task.
Management of compliance with the organization’s cybersecurity policy for vulnerability remediation is a prominent compliance requirement, and for many organizations it is a requirement of the regulations that they are subject to.
Weak vulnerability management compliance will harm the organization and its reputation if a breach or other security incident occurs.
Risks Addressed
Robust compliance with vulnerability management policy helps to reduce risk of:
Data breaches
Ransomware and malware attacks
Regulatory penalties for noncompliance
Disruptions to the ability of the organization to conduct business
Reputational damage if a cyber event can be traced back to a poorly managed vulnerability remediation program.
CONTROLS THIS DASHBOARD REPORTS ON
NIST CSF v2.0: Category ID.RA Risk Assessment, Subcategories, ID.RA-01, ID.RA-04, ID.RA-05, and ID.RA-06
PCI-DSS v4.0: Requirement 11.3 External and internal vulnerabilities are regularly identified, prioritized, and addressed, and requirements 11.3.1 and 11.3.2
CIS CSC v8.1: Control 7 Continuous Vulnerability Management, and Safeguards 7.5, 7.6, and 7.7
DORA: Regulatory Technical Standard (RTS) Simplified ICT Risk Management Framework, Article 10, Vulnerability and patch management
PRIMARY KEY PERFORMANCE INDICATOR (KPI)
The dashboard reports on this Primary KPI:
Numerator: Vulnerabilities that are either open but still within SLA, or are closed within SLA are counted as compliant
Denominator: All vulnerabilities that have an assigned SLA
COLUMNS DISPLAYED ON THE DETAIL DASHBOARD
Leading: Compliance Status, Vulnerability Id, Hostname, Remediated Compliance Status, Open Compliance Status, Device Type
Identifier: Device Databee Id, Environment, IP
Type: OS Type
Vulnerability: CVE Id, CVE Description, CVE References, CVSS Score, CVSS Severity, CVSS Version, Days Open, Days Past Due, Due Date, Open Date, Past Due Indicator, Remediated Date, Remediation Status, Sla Days, Sla Name, Vendor Description, Vendor Id, Vendor Severity, Vendor Summary, Vendor Type, Vulnerability Severity, Vulnerability Source
Org Hierarchy: Owner Email Address, Owner Databee Id, Owner Employee UID, Owner Full Name, Owner Job Title, Owner Name, Manager Email Address, Manager Id, Manager Full Name, Level 2, Level 3, Level 4, Level 5, Level 6
OCSF TABLES USED BY THE DASHBOARD
CDP.CYBER_VULNERABILITIES
CDP.DEVICE
CDP.ORGANIZATION_HIERARCHY
CDP.USER
OCSF.VULNERABILITY_FINDING
OCSF.OSINT_INVENTORY_INFO