AuditRubric
id-ra-1 critical Identify / Risk Assessment

Vulnerabilities in assets are identified, validated, and recorded

Unpatched vulnerabilities are the most common initial access vector in breaches. Regular scanning turns the unknown into the known: you get a prioritized list of weaknesses before an attacker finds them first. Without a vulnerability management process, you are relying on luck rather than evidence when claiming your environment is secure.

Estimated effort: 6h
vulnerabilityscanningcvepatching
Complete first: id-am-1 , id-am-2

Implementation steps

  1. 1

    Deploy authenticated vulnerability scanning

    Run a vulnerability scanner against all assets in scope at least weekly for internet-facing systems and monthly for internal systems. Use authenticated scans (with credentials) to get a complete picture rather than just what is visible from the outside. Cover infrastructure, operating systems, and application dependencies.

    qualystenablerapid7crowdstrike-falconwiz
  2. 2

    Validate and triage findings

    Not every scanner finding is exploitable in your environment. Review each finding to confirm it applies to your configuration, assign a severity using CVSS scores as a baseline, and filter out false positives. Record validated findings in a tracker with the affected asset, CVE identifier, severity, and discovery date.

    jiraservicenowdefectdojo
  3. 3

    Set remediation SLAs and track closure

    Define how quickly each severity level must be remediated, for example: critical within 15 days, high within 30 days, medium within 90 days. Assign each finding to an owner and track progress toward closure. Report on open vulnerabilities by age and severity in a regular security review.

    jiradefectdojoqualystenable

Evidence required

Vulnerability scan results

Recent scan reports covering all in-scope assets, showing identified vulnerabilities with CVE identifiers and severity ratings.

  • · Qualys or Tenable scan report from the last 30 days
  • · Wiz cloud vulnerability findings export
  • · Nessus scan summary showing asset coverage and findings

Vulnerability tracking record

A backlog or register of open and remediated vulnerabilities with severity, owner, and target remediation date.

  • · Jira board with vulnerability tickets and SLA due dates
  • · DefectDojo project showing open, in-progress, and closed findings
  • · Spreadsheet tracking CVEs with discovery date and closure date

Remediation SLA policy

A written definition of expected remediation timelines by severity level.

  • · Vulnerability management policy document with SLA table
  • · Internal runbook section defining patch timelines by CVSS score
  • · Security policy page on the internal wiki

Related controls

de-cm-8 critical

Vulnerability scans are performed

Continuous Monitoring
id-ra-10 high

Critical suppliers are assessed prior to acquisition

Risk Assessment
id-ra-2 medium

Cyber threat intelligence is received from information sharing forums and sources

Risk Assessment
id-ra-3 high

Internal and external threats to the organization are identified and recorded

Risk Assessment