VULNERABILITY AND THREAT MANAGEMENT - 5345
Introduction: Threats and vulnerabilities provide the primary inputs to the state entity’s risk assessment process.
Policy: Each state entity shall continuously identify and remediate vulnerabilities before they can be exploited. Vulnerability and threat management include, but not limited to, the following:
- Strategic placement of scanning tools to continuously assess all information technology assets;
- Implementation of appropriate scan schedules, based on asset criticality;
- Communication of vulnerability information to system owners or other individuals responsible for remediation;
- Dissemination of timely threat advisories to system owners or other individuals responsible for remediation;
- Consultation with system owners on mitigation strategies; and
- Implementation of mitigation measures in accordance with the Vulnerability Management Standard (SIMM 5345-A).