Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ra-5(10)

vulnerability scanning  | correlate scanning information

assessment objective:

Determine if the organization correlates the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors.

potential assessment methods and objects:

Examine: [select from: Risk assessment policy; procedures addressing vulnerability scanning; risk assessment; security plan; vulnerability scanning tools and techniques documentation; vulnerability scanning results; vulnerability management records; audit records; event/vulnerability correlation logs; other relevant documents or records].

Interview: [select from: Organizational personnel with vulnerability scanning responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Organizational processes for vulnerability scanning; automated mechanisms/tools supporting and/or implementing vulnerability scanning; automated mechanisms implementing correlation of vulnerability scan results].