Threat and Vulnerability Management

A key component of the Information Security Program are threat and vulnerability management policies.

CAIQ Control Domains and Threat and Vulnerability Management Policies

  • TVM-01: Antivirus / Malicious Software - Antivirus / Malicious Software Policy
  • TVM-01.1: Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your IT infrastructure network and systems components?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-01.2: Do you ensure that security threat detection systems using signatures, lists, or behavioral patterns are updated across all infrastructure components as prescribed by industry best practices?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-02: Vulnerability / Patch Management - Vulnerability Management Policy
  • TVM-02.1: Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-02.2: Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-02.3: Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-02.4: Will you make the results of vulnerability scans available to tenants at their request?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-02.5: Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-02.6: Do you inform customers (tenant) of policies and procedures and identified weaknesses if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-03: Mobile Code - Mobile Code Policy
  • TVM-03.1: Is mobile code authorized before its installation and use, and the code configuration checked, to ensure that the authorized mobile code operates according to a clearly defined security policy?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

  • TVM-03.2: Is all unauthorized mobile code prevented from executing?


*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):

Related Documents

  • None