Content library
Julkri: TL IV-I
TEK-19: Ohjelmistohaavoittuvuuksien hallinta

How to fill the requirement

Julkri: TL IV-I

TEK-19: Ohjelmistohaavoittuvuuksien hallinta

Task name
Priority
Status
Theme
Policy
Other requirements
Process for managing technical vulnerabilities
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

12.6.1: Management of technical vulnerabilities
ISO27 Full
14.2.1: Secure development policy
ISO27 Full
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
RS.AN-5: Vulnerability management process
NIST
1. Task description

The organization has defined a process for addressing identified technical vulnerabilities.

Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:

  • risks related to the vulnerability and the necessary actions are identified (e.g. patching the system or other management tasks)
  • necessary actions are scheduled
  • all actions taken are documented
Using a selected web browser and checking for updates
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Email and phishing
Email and web browser
requirements

Task is fulfilling also these other security requirements

12.6.1: Management of technical vulnerabilities
ISO27 Full
13.2.1: Information transfer policies and procedures
ISO27 Full
PR.AC-3: Remote access management
NIST
TEK-19: Ohjelmistohaavoittuvuuksien hallinta
Julkri
5.14: Information transfer
ISO27k1 Full
1. Task description

The selection and up-to-dateness of web browser greatly affects e.g. experience, operation and browsing security of online services. When the entire organization uses the same web browser, instructing is easier and security is improved.

IT has chosen the browser to be used, monitors the staff in using the correct and up-to-date browser and supports the staff in the use.

Regular testing of the vulnerability management process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

DE.DP-3: Detection processes testing
NIST
TEK-19: Ohjelmistohaavoittuvuuksien hallinta
Julkri
I-19: TIETOJENKÄSITTELY-YMPÄRISTÖN SUOJAUS KOKO ELINKAAREN AJAN – OHJELMISTOHAAVOITTUVUUKSIEN HALLINTA
Katakri 2020
DE.DP-3: Detection processes are tested.
CyFun
RS.AN-5: Processes are established to receive, analyse, and respond to vulnerabilities disclosed to the organization from internal and external sources.
CyFun
1. Task description

The vulnerability management process is regularly tested at intervals specified by the organization to ensure that it is up-to-date, functional, and effective.

Selecting and tracking data sources for vulnerability information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

I23: Ohjelmistohaavoittuvuuksien hallinta
Katakri
12.6.1: Management of technical vulnerabilities
ISO27 Full
DE.CM-8: Vulnerability scans
NIST
TEK-19: Ohjelmistohaavoittuvuuksien hallinta
Julkri
8.8: Management of technical vulnerabilities
ISO27k1 Full
1. Task description

Information sources for software and other technologies have been consciously identified to identify and maintain information about technical vulnerabilities that are relevant to us (e.g. authorities or hardware and software manufacturers). Data sources are evaluated and updated as new useful sources are found.

Vulnerabilities can be found directly in the vendor systems we exploit or in the open source components exploited by many of our systems. It’s important to keep track of multiple sources to get the essential information obtained.

Regular vulnerability scanning
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

12.6.1: Management of technical vulnerabilities
ISO27 Full
18.2.3: Technical compliance review
ISO27 Full
14.2.8: System security testing
ISO27 Full
6.5: Tietojärjestelmien asennus, ylläpito ja päivitys
Self-monitoring
MWP-02: Automatic file scan by anti-malware software
Cyber Essentials
1. Task description

The organization regularly conducts a vulnerability scan, which searches for vulnerabilities found on computers, workstations, mobile devices, networks or applications. It is important to scan even after significant changes.

It should be noted that vulnerable source code can be from operating system software, server applications, user applications, as well as from the firmware application as well as from drivers, BIOS and separate management interfaces (e.g. iLo , iDrac). In addition to software errors, vulnerabilities occur from configuration errors and old practices, such as the use of outdated encryption algorithms.

Regular monitoring of the vulnerability management process
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Development and cloud
Technical vulnerability management
requirements

Task is fulfilling also these other security requirements

12.6.1: Management of technical vulnerabilities
ISO27 Full
ID.RA-1: Asset vulnerabilities
NIST
PR.IP-12: Vulnerability management plan
NIST
TEK-19: Ohjelmistohaavoittuvuuksien hallinta
Julkri
8.8: Management of technical vulnerabilities
ISO27k1 Full
1. Task description

The technical vulnerability management process is regularly monitored and evaluated to ensure its effectiveness and efficiency.

No items found.