Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Insights to Control Framework Mapping: Vulnerability Management & Security Hygiene

Ingrid

Refer to the following Vulnerability Management & Security Hygiene insights and assessments and how they're mapped to CIS v7 and CIS v8 controls for Control Insights:

Confirmed Vulnerabilities

Detected confirmed vulnerabilities were not fixed for over one month. This indicates that continuous vulnerability management is ineffective and may be failing

The ratio of events of type [Confirmed Vulnerability in Exposed Third Party Product] present for at least 1 month(s) by type [Open Port] is above 10.0%

Assessment

insight-ineffective.png Negative

Observations

CIS v8 Controls CIS v7 Controls

Controls

  • 7 Continuous Vulnerability Management
  • 17 Incident Response Management
  • 18 Penetration Testing

Safeguards

  • 7.1 Establish and Maintain a Vulnerability Management Process
  • 7.2 Establish and Maintain a Remediation Process
  • 7.3 Perform Automated Operating System Patch Management
  • 7.4 Perform Automated Application Patch Management
  • 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
  • 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
  • 7.7 Remediate Detected Vulnerabilities
  • 17.1 Designate Personnel to Manage Incident Handling
  • 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
  • 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
  • 17.4 Establish and Maintain an Incident Response Process
  • 17.6 Define Mechanisms for Communicating During Incident Response
  • 18.1 Establish and Maintain a Penetration Testing Program
  • 18.2 Perform Periodic External Penetration Tests
  • 18.3 Remediate Penetration Test Findings
  • 18.4 Validate Security Measures
  • 18.5 Perform Periodic Internal Penetration Tests

Controls

  • 33 Continuous Vulnerability Management
  • 19 Incident Response and Management
  • 20 Penetration Tests and Red Team Exercises

Safeguards:

  • 3.1 Run Automated Vulnerability Scanning Tools
  • 3.2 Perform Authenticated Vulnerability Scanning
  • 3.4 Deploy Automated Operating System Patch Management Tools
  • 3.5 Deploy Automated Software Patch Management Tools
  • 19.1 Document Incident Response Procedures
  • 19.2 Assign Job Titles and Duties for Incident Response
  • 19.3 Designate Management Personnel to Support Incident Handling
  • 19.5 Maintain Contact Information For Reporting Security Incidents
  • 20.1 Establish a Penetration Testing Program
  • 20.2 Conduct Regular External and Internal Penetration Tests
  • 20.3 Perform Periodic Red Team Exercises
  • 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
  • 20.5 Create Test Bed for Elements Not Typically Tested in Production
  • 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert

No Confirmed Vulnerabilities for 1 Month

The lack of confirmed vulnerabilities for over a month indicates effective continuous vulnerability management.

The ratio of events of type [Confirmed Vulnerability in Exposed Third Party Product] present for at least 1 month(s) by type [Open Port] is below 2.5%

Assessment

insight-effective.png Positive

Observations

CIS v8 Controls CIS v7 Controls

Controls

  • 7 Continuous Vulnerability Management
  • 17 Incident Response Management
  • 18 Penetration Testing

Safeguards

  • 7.1 Establish and Maintain a Vulnerability Management Process
  • 7.2 Establish and Maintain a Remediation Process
  • 7.3 Perform Automated Operating System Patch Management
  • 7.4 Perform Automated Application Patch Management
  • 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
  • 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
  • 7.7 Remediate Detected Vulnerabilities
  • 17.1 Designate Personnel to Manage Incident Handling
  • 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
  • 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
  • 17.4 Establish and Maintain an Incident Response Process
  • 17.6 Define Mechanisms for Communicating During Incident Response
  • 18.1 Establish and Maintain a Penetration Testing Program
  • 18.2 Perform Periodic External Penetration Tests
  • 18.3 Remediate Penetration Test Findings
  • 18.4 Validate Security Measures
  • 18.5 Perform Periodic Internal Penetration Tests

Controls

  • 3 Continuous Vulnerability Management
  • 19 Incident Response and Management
  • 20 Penetration Tests and Red Team Exercises

Safeguards

  • 3.1 Run Automated Vulnerability Scanning Tools
  • 3.4 Deploy Automated Operating System Patch Management Tools
  • 3.5 Deploy Automated Software Patch Management Tools
  • 19.1 Document Incident Response Procedures
  • 19.2 Assign Job Titles and Duties for Incident Response
  • 19.3 Designate Management Personnel to Support Incident Handling
  • 19.4 Devise Organization-wide Standards for Reporting Incidents
  • 19.5 Maintain Contact Information For Reporting Security Incidents
  • 19.7 Conduct Periodic Incident Scenario Sessions for Personnel
  • 19.8 Create Incident Scoring and Prioritization Schema
  • 20.1 Establish a Penetration Testing Program
  • 20.2 Conduct Regular External and Internal Penetration Tests
  • 20.3 Perform Periodic Red Team Exercises
  • 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert

Poor Security Hygiene

The lack of basic security hygiene issues indicates effective processes to detect, respond, and remediate security issues are in place

The ratio of events of type [Cleartext Credential Transmission, Inadvisable Service Exposed on Open Port, Unnecessarily Exposed Port, Unauthenticated Service] by type [Open Port] is below 1.0%

Assessment

insight-effective.png Positive

Observations

CIS v8 Controls CIS v7 Controls

Controls

  • 7 Continuous Vulnerability Management
  • 17 Incident Response Management
  • 18 Penetration Testing

Safeguards

  • 7.1 Establish and Maintain a Vulnerability Management Process
  • 7.2 Establish and Maintain a Remediation Process
  • 7.3 Perform Automated Operating System Patch Management
  • 7.4 Perform Automated Application Patch Management
  • 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
  • 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
  • 7.7 Remediate Detected Vulnerabilities
  • 17.1 Designate Personnel to Manage Incident Handling
  • 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
  • 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
  • 17.4 Establish and Maintain an Incident Response Process
  • 17.6 Define Mechanisms for Communicating During Incident Response
  • 18.1 Establish and Maintain a Penetration Testing Program
  • 18.2 Perform Periodic External Penetration Tests
  • 18.3 Remediate Penetration Test Findings
  • 18.4 Validate Security Measures
  • 18.5 Perform Periodic Internal Penetration Tests

Controls

  • 3 Continuous Vulnerability Management
  • 19 Incident Response and Management
  • 20 Penetration Tests and Red Team Exercises

Safeguards

  • 3.1 Run Automated Vulnerability Scanning Tools
  • 3.2 Perform Authenticated Vulnerability Scanning
  • 3.4 Deploy Automated Operating System Patch Management Tools
  • 3.5 Deploy Automated Software Patch Management Tools
  • 3.7 Utilize a Risk-Rating Process
  • 19.1 Document Incident Response Procedures
  • 19.2 Assign Job Titles and Duties for Incident Response
  • 19.3 Designate Management Personnel to Support Incident Handling
  • 19.4 Devise Organization-wide Standards for Reporting Incidents
  • 19.5 Maintain Contact Information For Reporting Security Incidents
  • 20.1 Establish a Penetration Testing Program
  • 20.2 Conduct Regular External and Internal Penetration Tests
  • 20.3 Perform Periodic Red Team Exercises
  • 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
  • 20.5 Create Test Bed for Elements Not Typically Tested in Production
  • 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert
  • 20.7 Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
  • 20.8 Control and Monitor Accounts Associated with Penetration Testing

No Vulnerabilities in Network Devices

The lack of vulnerabilities in network devices indicates effective control, patching, and mismanagement of network devices.

The fraction of endpoints from category [Networking Device] detected with [Confirmed Vulnerability in Exposed Third Party Product] is above 1.0%

Assessment

✓ Positive

Observations

CIS v8 Controls CIS v7 Controls

Controls

  • 4 Secure Configuration of Enterprise Assets and Software
  • 12 Network Infrastructure Management

Safeguards

  • 12.1 Ensure Network Infrastructure is Up-to-Date
  • 12.2 Establish and Maintain a Secure Network Architecture
  • 12.3 Securely Manage Network Infrastructure

Controls

11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Safeguards

  • 11.1 Maintain Standard Security Configurations for Network Devices
  • 11.2 Document Traffic Configuration Rules
  • 11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
  • 11.4 Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
  • 11.5 Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
  • 11.6 Use Dedicated Machines For All Network Administrative Tasks
  • 11.7 Manage Network Infrastructure Through a Dedicated Network

Basic Security Hygiene Issues

The presence of basic security hygiene issues indicates the processes to detect, respond, and remediate security issues are ineffective and may be failing.

The ratio of events of type [Cleartext Credential Transmission, Inadvisable Service Exposed on Open Port, Unnecessarily Exposed Port, Unauthenticated Service] by type [Open Port] is above 2.0%

Assessment

insight-ineffective.png Negative

Observations

CIS v8 Controls CIS v7 Controls

Controls

  • 7 Continuous Vulnerability Management
  • 17 Incident Response Management
  • 18 Penetration Testing

Safeguards

  • 7.1 Establish and Maintain a Vulnerability Management Process
  • 7.2 Establish and Maintain a Remediation Process
  • 7.3 Perform Automated Operating System Patch Management
  • 7.4 Perform Automated Application Patch Management
  • 7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
  • 7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
  • 7.7 Remediate Detected Vulnerabilities
  • 17.1 Designate Personnel to Manage Incident Handling
  • 17.2 Establish and Maintain Contact Information for Reporting Security Incidents
  • 17.3 Establish and Maintain an Enterprise Process for Reporting Incidents
  • 17.4 Establish and Maintain an Incident Response Process
  • 17.6 Define Mechanisms for Communicating During Incident Response
  • 18.1 Establish and Maintain a Penetration Testing Program
  • 18.2 Perform Periodic External Penetration Tests
  • 18.3 Remediate Penetration Test Findings
  • 18.4 Validate Security Measures
  • 18.5 Perform Periodic Internal Penetration Tests

Controls

  • 3 Continuous Vulnerability Management
  • 19 Incident Response and Management
  • 20 Penetration Tests and Red Team Exercises

Safeguards

  • 3.1 Run Automated Vulnerability Scanning Tools
  • 3.2 Perform Authenticated Vulnerability Scanning
  • 3.3 Protect Dedicated Assessment Accounts
  • 3.4 Deploy Automated Operating System Patch Management Tools
  • 3.5 Deploy Automated Software Patch Management Tools
  • 3.7 Utilize a Risk-Rating Process
  • 19.1 Document Incident Response Procedures
  • 19.2 Assign Job Titles and Duties for Incident Response
  • 19.3 Designate Management Personnel to Support Incident Handling
  • 19.4 Devise Organization-wide Standards for Reporting Incidents
  • 19.5 Maintain Contact Information For Reporting Security Incidents
  • 20.1 Establish a Penetration Testing Program
  • 20.2 Conduct Regular External and Internal Penetration Tests
  • 20.3 Perform Periodic Red Team Exercises
  • 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
  • 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert

Vulnerabilities in Network Devices

The presence of vulnerabilities in network devices indicates ineffective control, patching, and mismanagement of network devices

The fraction of endpoints from category [Networking Device] detected with [Confirmed Vulnerability in Exposed Third Party Product] is above 5.0%

Assessment

insight-ineffective.png Negative

Observations

CIS v8 Controls CIS v7 Controls

Controls

  • 4 Secure Configuration of Enterprise Assets and Software
  • 12 Network Infrastructure Management

Safeguards

  • 12.1 Ensure Network Infrastructure is Up-to-Date
  • 12.2 Establish and Maintain a Secure Network Architecture
  • 12.3 Securely Manage Network Infrastructure

Controls

11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Safeguards

  • 11.1 Maintain Standard Security Configurations for Network Devices
  • 11.2 Document Traffic Configuration Rules
  • 11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
  • 11.4 Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
  • 11.5 Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
  • 11.6 Use Dedicated Machines For All Network Administrative Tasks
  • 11.7 Manage Network Infrastructure Through a Dedicated Network
  • April 1, 2025: Published.

Related articles

Feedback

0 comments

Please sign in to leave a comment.