| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
RA-5(6) |
FedRAMP_High_R4_RA-5(6) |
FedRAMP High RA-5 (6) |
Risk Assessment |
Automated Trend Analyses |
Shared |
n/a |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. |
link |
5 |
| FedRAMP_Moderate_R4 |
RA-5(6) |
FedRAMP_Moderate_R4_RA-5(6) |
FedRAMP Moderate RA-5 (6) |
Risk Assessment |
Automated Trend Analyses |
Shared |
n/a |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. |
link |
5 |
| hipaa |
0201.09j1Organizational.124-09.j |
hipaa-0201.09j1Organizational.124-09.j |
0201.09j1Organizational.124-09.j |
02 Endpoint Protection |
0201.09j1Organizational.124-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
Anti-virus and anti-spyware are installed, operating and updated on all end-user devices to conduct periodic scans of the systems to identify and remove unauthorized software. Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. |
|
18 |
| hipaa |
0217.09j2Organizational.10-09.j |
hipaa-0217.09j2Organizational.10-09.j |
0217.09j2Organizational.10-09.j |
02 Endpoint Protection |
0217.09j2Organizational.10-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization configures malicious code and spam protection mechanisms to (i) perform periodic scans of the information system according to organization guidelines; (ii) perform real-time scans of files from external sources at endpoints and network entry/exit points as the files are downloaded, opened, or executed in accordance with organizational security policy; and, (iii) block malicious code, quarantine malicious code, or send an alert to the administrator in response to malicious code detection. |
|
25 |
| hipaa |
0711.10m2Organizational.23-10.m |
hipaa-0711.10m2Organizational.23-10.m |
0711.10m2Organizational.23-10.m |
07 Vulnerability Management |
0711.10m2Organizational.23-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems. |
|
4 |
| hipaa |
0714.10m2Organizational.7-10.m |
hipaa-0714.10m2Organizational.7-10.m |
0714.10m2Organizational.7-10.m |
07 Vulnerability Management |
0714.10m2Organizational.7-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
The technical vulnerability management program is evaluated on a quarterly basis. |
|
20 |
| hipaa |
0717.10m3Organizational.2-10.m |
hipaa-0717.10m3Organizational.2-10.m |
0717.10m3Organizational.2-10.m |
07 Vulnerability Management |
0717.10m3Organizational.2-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
Vulnerability scanning tools include the capability to readily update the information system vulnerabilities scanned. |
|
3 |
| hipaa |
0718.10m3Organizational.34-10.m |
hipaa-0718.10m3Organizational.34-10.m |
0718.10m3Organizational.34-10.m |
07 Vulnerability Management |
0718.10m3Organizational.34-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
The organization scans for vulnerabilities in the information system and hosted applications to determine the state of flaw remediation monthly (automatically), and again (manually or automatically) when new vulnerabilities potentially affecting the systems and networked environments are identified and reported. |
|
4 |
| hipaa |
0719.10m3Organizational.5-10.m |
hipaa-0719.10m3Organizational.5-10.m |
0719.10m3Organizational.5-10.m |
07 Vulnerability Management |
0719.10m3Organizational.5-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
The organization updates the list of information system vulnerabilities scanned within every 30 days or when new vulnerabilities are identified and reported. |
|
3 |
| hipaa |
0790.10m3Organizational.22-10.m |
hipaa-0790.10m3Organizational.22-10.m |
0790.10m3Organizational.22-10.m |
07 Vulnerability Management |
0790.10m3Organizational.22-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
The organization reviews historic audit logs to determine if high vulnerability scan findings identified in the information system have been previously exploited. |
|
17 |
| NIST_SP_800-53_R4 |
RA-5(6) |
NIST_SP_800-53_R4_RA-5(6) |
NIST SP 800-53 Rev. 4 RA-5 (6) |
Risk Assessment |
Automated Trend Analyses |
Shared |
n/a |
The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
Supplemental Guidance: Related controls: IR-4, IR-5, SI-4. |
link |
5 |
| NIST_SP_800-53_R5 |
RA-5(6) |
NIST_SP_800-53_R5_RA-5(6) |
NIST SP 800-53 Rev. 5 RA-5 (6) |
Risk Assessment |
Automated Trend Analyses |
Shared |
n/a |
Compare the results of multiple vulnerability scans using [Assignment: organization-defined automated mechanisms]. |
link |
5 |
| SWIFT_CSCF_v2022 |
2.7 |
SWIFT_CSCF_v2022_2.7 |
SWIFT CSCF v2022 2.7 |
2. Reduce Attack Surface and Vulnerabilities |
Identify known vulnerabilities within the local SWIFT environment by implementing a regular vulnerability scanning process and act upon results. |
Shared |
n/a |
Secure zone (including dedicated operator PC) systems are scanned for vulnerabilities using an up-to-date, reputable scanning tool and results are considered for appropriate resolving actions. |
link |
16 |
| SWIFT_CSCF_v2022 |
6.1 |
SWIFT_CSCF_v2022_6.1 |
SWIFT CSCF v2022 6.1 |
6. Detect Anomalous Activity to Systems or Transaction Records |
Ensure that local SWIFT infrastructure is protected against malware and act upon results. |
Shared |
n/a |
Anti-malware software from a reputable vendor is installed, kept up-to-date on all systems, and results are considered for appropriate resolving actions. |
link |
31 |