Threat and Vulnerability Management
A key component of the Information Security Program are threat and vulnerability management policies.
CAIQ Control Domains and Threat and Vulnerability Management Policies
- TVM-01: Antivirus / Malicious Software - Antivirus / Malicious Software Policy
- TVM-01.1: Do you have anti-malware programs that support or connect to your cloud service offerings installed on all of your IT infrastructure network and systems components?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-01.2: Do you ensure that security threat detection systems using signatures, lists, or behavioral patterns are updated across all infrastructure components as prescribed by industry best practices?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-02: Vulnerability / Patch Management - Vulnerability Management Policy
- TVM-02.1: Do you conduct network-layer vulnerability scans regularly as prescribed by industry best practices?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-02.2: Do you conduct application-layer vulnerability scans regularly as prescribed by industry best practices?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-02.3: Do you conduct local operating system-layer vulnerability scans regularly as prescribed by industry best practices?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-02.4: Will you make the results of vulnerability scans available to tenants at their request?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-02.5: Do you have a capability to patch vulnerabilities across all of your computing devices, applications, and systems?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-02.6: Do you inform customers (tenant) of policies and procedures and identified weaknesses if customer (tenant) data is used as part the service and/or customer (tenant) has some shared responsibility over implementation of control?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-03: Mobile Code - Mobile Code Policy
- TVM-03.1: Is mobile code authorized before its installation and use, and the code configuration checked, to ensure that the authorized mobile code operates according to a clearly defined security policy?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
- TVM-03.2: Is all unauthorized mobile code prevented from executing?
*Policy:
*SOP:
*Audits:
*Artifacts:
*Systems:
*Related Jira Ticket(s):
Related Documents
- None
