🚦TRMG 3.1.6. Vulnerability assessment (VA)
- Vulnerability assessment (VA) is the process of identifying, assessing and discovering security vulnerabilities in a system.
- Penetration testing (PT) and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. The snapshot is limited to those portions of the system actually tested during the penetration attempt(s).
🎯 Consideration points in TRMG:
- The BFIs should conduct vulnerability assessment (VA) regularly in the IT environment using both automated tools and manual techniques.
- The BFIs should carry out penetration tests (PT) at least annually.
- The BFIs should establish a process to remediate the issues identified in VA & PT and perform subsequent revalidation of the remediation to validate that gaps are fully addressed.
- The BFIs should conduct systems configuration review at periodic intervals in an authenticated mode (authenticated passive or active review).
- BFIs should compare the results and identify repeated vulnerabilities and address either by patching, implementing a compensating control, or by documenting and accepting a reasonable business risk.
- The security function should provide status updates regarding the number of unmitigated, critical vulnerabilities, for each department/division, and plan for mitigating to senior management on a periodic basis.
⚠️ Three key challenges (personal observations):
- The capability of the BFI’s internal resources to conduct periodic VA & PT.
- The inefficiency of technology assets management and VA & PT scoping.
- The management support and leadership.
Credit source:https://t.me/lyvandyofficial/58
