AuditRubric
cc7-1 High priority Security / System Operations

Vulnerability management identifies and remediates security flaws

Software has vulnerabilities. New ones are discovered every day. Without a process to identify, prioritize, and remediate vulnerabilities, systems accumulate known attack paths over time. This criterion requires a systematic vulnerability management program: regular scanning, risk-based prioritization, and tracked remediation within defined timelines.

12h estimated effort
vulnerability-management patching scanning cve
Complete first: cc5-2

Implementation steps

  1. 1

    Implement regular vulnerability scanning

    Run automated vulnerability scans against your infrastructure and applications at least monthly. Scans should cover cloud infrastructure configurations, operating system and package vulnerabilities on servers and containers, and application dependencies. Use a combination of static analysis, dependency scanning, and infrastructure scanning.

    snyk qualys tenable aws-inspector trivy
  2. 2

    Establish remediation SLAs by severity

    Document remediation timelines based on severity: critical vulnerabilities patched within 7 days, high within 30 days, medium within 90 days. Track open vulnerabilities in a ticketing system with assigned owners and due dates. Report on SLA compliance to measure program effectiveness.

    jira linear github-issues snyk
  3. 3

    Subscribe to vulnerability intelligence feeds

    Monitor sources that publish newly discovered vulnerabilities relevant to your stack: CVE databases, vendor security bulletins, GitHub security advisories, and CISA Known Exploited Vulnerabilities catalog. Configure Dependabot or equivalent to automatically open pull requests for vulnerable dependencies.

    dependabot snyk github-advanced-security

Evidence required

Vulnerability scan results

Evidence of regular vulnerability scanning and findings.

  • - Snyk or Trivy scan results with vulnerability list
  • - AWS Inspector findings report
  • - Qualys or Tenable scan summary

Remediation tracking records

Evidence that vulnerabilities are tracked and remediated per defined SLAs.

  • - Jira or Linear tickets for open vulnerabilities with due dates
  • - Dependabot pull request history showing remediation
  • - Vulnerability management policy with remediation SLAs

Related controls

cc7-2

Anomalies and security events are detected and monitored

System Operations

cc7-3

Detected security incidents are evaluated and classified

System Operations

cc7-4

Security incidents are responded to and contained

System Operations

cc7-5

Incidents are recovered from and resumption of operations is documented

System Operations