Center for Internet Security (CIS)

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets.

Continuous Vulnerability Management

CIS Control Group 7

CIS Controls and CIS Benchmarks provide global standards for internet security, and are a recognized global standard and best practices for securing IT systems and data against attacks. CIS maintains the “CIS Controls”, a popular set of security controls which map to many industry-standard compliance and governance frameworks. Through an independent consensus process, CIS Benchmarks provide frameworks to help organizations bolster their security.

Center for Internet Security Requirements

Control 7.2: Establish and Maintain a Remediation Process
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
Control 7.5: Perform Automated Vulnerability Management Scans of Internal Enterprise Assets
Perform automated vulnerability scans of internal assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant tool.
Control 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Control 7.7: Remediate Detected Vulnerabilities
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
Control 7.1: Establish and Maintain a Vulnerability Management Process
Establish and maintain a documented vulnerability management process for enterprise assets.