audit log – Infosavvy Cyber Security & IT Management Trainings

A.12.6.1 Management of Technical Vulnerabilities

Control- Information on technological vulnerabilities of information systems used should be obtained in a timely manner, the exposure of the organization to such vulnerabilities should be assessed and appropriate measures taken to address the risk involved

Implementation Guidance – An up-to-date and comprehensive asset inventory is necessary for the effective management of technical vulnerability (see Clause 8). The software vendor, version numbers, current installation status ( e.g. what the software on which systems are installed), and the person(s) within the organization responsible for the software are included in the basic details required to support technological vulnerability management.

In order to identify potential technical vulnerabilities, appropriate and timely action should be taken. To establish an efficient management process for technical vulnerabilities, the following guidelines should be followed:

The organization should define and define technical vulnerability management roles and responsibilities, including vulnerability monitoring, risk assessment of vulnerability, asset patching, asset tracking, and any necessary coordination responsibilities.

Informative resources to identify and raise awareness about the relevant technical vulnerabilities for the software and other technology (based on the asset inventory list, Refer 8.1.1), should be updated based on inventory changes and other new or useful resources;

A timeline to respond to potentially relevant technical vulnerabilities notifications should be defined;

The organization will recognize the associated risks and acts when a potential technological weakness has been identified; these acts may include patching compromised systems, or enforcing other controls;

Actions should be carried out according to changes management protocols or following incident response procedures in information security, depending on the degree to which a technical problem needs to be handled.

The risk of the installation of a patch should be measured (those risks raised by the vulnerability must be compared to the risk of installing the patch) if a patch is available from a valid source;

Before downloading the patch, it must be checked and reviewed to make sure that it is safe and does not lead to side effects that can not be tolerated; other tests, such as:

Switching off vulnerability related services or capabilities;

Adapting or adding network boundary access controls, such as firewalls;

Enhanced surveillance for real attacks;

Increase vulnerability awareness;

.For all procedures undertaken, an audit log should be maintained;

In order to ensure its efficiency and effectiveness, the technical vulnerability management process should be monitored and assessed regularly;

High-risk systems should be addressed first

The incident management activities should be compatible with effective technical vulnerability management processes to relay vulnerability information to the incident response mechanism and provide appropriate procedures that may occur;

Defining a procedure to tackle a situation that has identified a vulnerability, yet no appropriate countermeasure exists. The organization should in this situation assess the risks associated with the known vulnerability and define appropriate detective and corrective measures.

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com

ISO 27001 Annex : A.12.5 Control of Operational Software Its objective is to ensure operating system integrity.

A.12.5.1 Installation of Software on Operational Systems

Control- To control the installation of software on operating systems, procedures should be implemented.

Implementation Guidance- To control changes in software on operational systems, the following guidelines should be considered:

Trained administrators should only upgrade operational software, applications and libraries upon appropriate management permission;
Only approved executable code and non-developed code or compilers should exist in operating systems;
Usability, safety, effects on other systems and user-friendly functions should only be included after successful and extensive testing; testing should also be conducted on separate systems; ensure that each of the corresponding program source libraries has been updated;
To retain control of all deployed applications as well as system documentation, a configuration control system should be used;
Before introducing changes, a roll-back strategy should be in place;
All changes to operating system libraries should be maintained with an audit log;
Previous product versions must be maintained as a measure of contingency;
For as long as data is retained in the archive, old software versions and all required information and parameters should be archived together with procedures, setup details, and software support.

The software provided by the vendor to operating systems should be maintained at the vendor support level. Software vendors should cease older software versions over time. The organization’s risk of using faulty software should be considered.

Every decision to upgrade to a new release should take account of business changes requirements and the security of the release, for example by introducing new security functions or the number and severity of the security of information problems affecting the release. When it is able to remove or reduce security information vulnerabilities, software patches should be used.

Suppliers can only be provided with physical or logical access for assistance, if necessary, and with management consent. The activities of the supplier should be monitored.

In order to avoid non-authorized changes that may lead to security defects, software can rely on externally provided software and modules to monitor and control.

Also Read : ISO 27001 Annex : A.12.4 Logging and Monitoring

A well-known ISO 27001 Lead Auditor and ISO 27001 Lead Implementer certificate that mainly covers information security clauses and their implementation, i.e., controls which should be implemented by the organization to preserve the CIA triad, Confidentiality, Integrity, and Availability to maintain their critical, sensitive information in a secure manner. Infosavvy, a Mumbai- based institute, provides multi-domain certifications and training, which include IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification). Infosavvy will help you to understand and recognize the full scope of your organization’s security checks to protect your organization’s activities and information equipment (assets) from attacks, and also to illustrate the backup policy to safeguard if data gets lost due to intentional or natural hazards. It also helps in making you understand how to control or manage the operating system integrity. We have trainers with extensive expertise and experience to ensure the efficient handling of the security of information. Consequently, the applicant will gain the necessary skills for the ISMS audit by using commonly agreed audit concepts, procedures and techniques.

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

Tag: audit log

ISO 27001 Annex : A.12.6 Technical Vulnerability Management

A.12.6.1 Management of Technical Vulnerabilities

ISO 27001 Annex : A.12.5 Control of Operational Software

A.12.5.1 Installation of Software on Operational Systems