3.11.3 has a weight of -1 points
(Risk Assessment Family) 3/3
Remediate vulnerabilities in accordance with risk assessments.
Video:
Example of System Security Plan (SSP):
System Security Plan (SSP) for Control 3.11.3
Title: Remediation of Vulnerabilities in Accordance with Risk Assessments
-
Purpose:
- This SSP ensures that we appropriately address vulnerabilities identified within the organization based on their assessed risk. By following this plan, we ensure the security of our digital assets, maintain the confidentiality of our customer data, and protect our brand reputation.
-
Scope:
- The plan encompasses all organizational systems, applications, databases, network devices, and related infrastructures susceptible to vulnerabilities.
-
Responsibilities:
- IT Department: We execute regular vulnerability scans and work closely with the security team during incident responses.
- Internal Risk Management Team: We conduct risk assessments quarterly, provide risk scoring for identified vulnerabilities, and suggest remediation prioritization.
- Security Team: We activate the incident response plan when vulnerabilities are detected, oversee remediation efforts, and ensure policy adherence.
- Department Heads: We ensure compliance with remediation directives and that department-specific applications or systems are available for scanning.
-
Vulnerability Management Procedures:
- Periodic Scanning: We utilize vulnerability scanning tools to detect potential security weaknesses in organizational assets.
- Incident Response: When we detect a vulnerability, we invoke the Incident Response Plan to address the issue swiftly and effectively.
- Risk Assessments: We conduct risk assessments quarterly, considering factors like potential business impact, likelihood of exploitation, and data sensitivity.
-
Plan of Action (PoA):
- When identifying vulnerabilities, we formulate a PoA that outlines the remediation steps, required resources, and targeted completion dates.
- Milestones: We define milestones within the PoA to ensure trackable remediation activities and accomplish them within stipulated time frames.
-
Remediation:
- We prioritize remediation efforts based on risk scores derived from assessments.
- While we aim to remediate all vulnerabilities, we focus on those posing the highest risk to the organization.
-
Review and Update:
- We review this SSP annually or after any significant infrastructural or procedural changes to ensure its continued relevance and effectiveness.
-
Documentation:
- We document all risk assessment findings, remediation activities, and PoA milestones for transparency and future reference.
-
Continuous Improvement:
- We encourage feedback from all departments and regularly update the SSP to align with the evolving threat landscape and business requirements.
-
Training:
- We ensure that all staff, especially those in IT and Security, undergo regular training on vulnerability management and remediation processes.
Example of Plan of Action and Milestones ( POA & M):
Plan of Action and Milestones (POA&M) for Control 3.11.3
1. Milestone: Establish Regular Vulnerability Scanning
- Objective: Ensure all organizational assets are scanned for vulnerabilities.
- Responsibility: IT Department.
- Resources: Vulnerability scanning tools, dedicated IT personnel.
- Targeted Completion Date: [Date].
2. Milestone: Finalize and Review the Incident Response Plan
- Objective: Update and refine the Incident Response Plan to ensure rapid and effective responses to detected vulnerabilities.
- Responsibility: Security Team.
- Resources: Previous incident reports, external consultancy (if required).
- Targeted Completion Date: [Date].
3. Milestone: Quarterly Risk Assessments
- Objective: Conduct the first of the regular quarterly risk assessments.
- Responsibility: Internal Risk Management Team.
- Resources: Risk assessment tools, access to system logs and network data.
- Targeted Completion Date: [Date].
4. Milestone: Develop a Standardized Plan of Action Template
- Objective: Create a template to streamline the creation of PoA whenever vulnerabilities are identified.
- Responsibility: Security Team, with input from IT and Risk Management.
- Resources: Previous PoA examples, industry best practices.
- Targeted Completion Date: [Date].
5. Milestone: Prioritization Framework Establishment
- Objective: Develop a framework to prioritize remediation efforts based on the risk score.
- Responsibility: Internal Risk Management Team.
- Resources: Risk assessment tools, historical vulnerability data.
- Targeted Completion Date: [Date].
6. Milestone: Documentation Process Implementation
- Objective: Ensure thorough and standardized documentation of all vulnerability management activities.
- Responsibility: Security Team.
- Resources: Documentation tools/platforms, staff training.
- Targeted Completion Date: [Date].
7. Milestone: Staff Training Initiation
- Objective: Begin the training program on vulnerability management and remediation.
- Responsibility: Department Heads.
- Resources: External trainers or e-learning platforms, internal guidelines.
- Targeted Completion Date: [Date].
Example of Incident Response Plan (IRP):
Incident Response Procedures Plan
I. Purpose: The purpose of these procedures is to define the company’s approach to managing and responding to security incidents involving unauthorized acquisition, dissemination, use, or loss of nonpublic information.
II. Scope: These procedures apply to all employees, contractors, and third-party agents who have access to company-controlled information.
III. Definitions: Incident/Security Breach: An unauthorized acquisition, dissemination, use, or loss of nonpublic information.
IV. Incident Reporting:
- Every employee is obligated to notify the Facility Security Officer (FSO) immediately upon becoming aware of a potential security breach that may compromise nonpublic information.
- All potential security breaches, whether suspected or confirmed, must be reported.
V. Incident Response Procedures:
- Initial Assessment:
- Managers shall conduct a thorough assessment of the reported security breach to determine its scope, impact, and potential damage.
- Determine the type, nature, and amount of data involved.
- Containment:
- Initiate immediate containment measures to prevent further unauthorized access, dissemination, or loss.
- Isolate affected systems or processes to minimize the spread of damage.
- Legal Consultation:
- Consult with legal counsel to ensure that the company’s response is compliant with all applicable laws and regulations.
- Regulatory Compliance:
- Review and understand requirements under applicable state laws and regulations related to the breach.
- Determine notification and reporting obligations.
- DIBNet Notification:
- Contact DIBNet (Defense Industrial Base Network) under the following circumstances:
- Compromise of Covered Defense Information (CDI).
- Impact on the ability to provide operationally critical support.
- Discovery of malicious software.
- Unauthorized external access to systems.
- Compromise of cyber-related tools or software.
- Any other criteria stipulated under DFARS.
- Ensure the timely reporting of incidents to DIBNet, typically within 72 hours of discovering the incident, in alignment with DFARS regulations.
- Cooperate with the Department of Defense, providing further details upon request and assisting in any joint investigations if needed.
- Contact DIBNet (Defense Industrial Base Network) under the following circumstances:
- Carrier Notification:
- Notify the carriers whose policyholders may have been affected.
- Inform the company’s cybersecurity coverage carrier about the incident.
- Notification of Affected Parties:
- Notify affected individuals about the breach, detailing potential risks and protective actions they can take.
- Notify appropriate regulatory and law enforcement authorities, if required or deemed appropriate.
- Draft clear, concise, and accurate communications about the incident for affected individuals and, if appropriate, company customers.
- Corrective Actions:
- Document and implement corrective actions to contain, control, and remedy the security breach.
- Evaluate the effectiveness of the containment measures and modify as necessary.
- Investigation:
- All security breaches will be fully investigated by the designated personnel, including managers, the FSO, and Managed Service Providers (MSP).
- Ensure comprehensive documentation of the investigative process, findings, and decisions made.
- Briefing:
- Maintain transparency by briefing all affected parties, such as the prime contractor, subcontractor, and government organization, about the incident and the company’s response actions.
VI. Post-Incident Activities:
- Conduct a post-incident review to identify lessons learned.
- Make necessary updates to policies, procedures, and controls to prevent recurrence.
- Provide necessary training and awareness sessions for employees.
VII. Revision and Review:
- This procedure will be reviewed annually and updated as needed to reflect changes in regulatory requirements and the company’s operational environment.
Approval: [Signature] [Title] [Date]
RELEVANT INFORMATION:
Vulnerabilities discovered, for example, via the scanning conducted in response to 3.11.2, are remediated with consideration of the related assessment of risk. The consideration of risk influences
the prioritization of remediation efforts and the level of effort to be expended in the remediation for specific vulnerabilities.
Resources to consider:
Security Policy Document:
This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.
Asset Inventory and Access Control Sheet:
Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.
User Account Management Log:
Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.
Password and Multi-Factor Authentication Policy:
Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.
Process and Script Accountability Log:
Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.
Device Access Control and VPN Policy:
Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.
Access Control Review and Monitoring Schedule:
Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.
User Training and Awareness Materials:
Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.