Infrastructure Security · IS-Q03

Question: Does the organization perform regular vulnerability assessments and remediate identified issues within defined timelines?

  1. Objective — Why This Matters
    Routine vulnerability scanning reveals weak points before attackers do. Closing findings promptly reduces exposure and strengthens compliance posture.

  2. Maturity Levels (0 – 5)

0 — Unaware
No vulnerability scanning.
1 — Ad Hoc
Occasional manual scans without remediation tracking.
2 — Defined
Quarterly internal scans; remediation recorded in spreadsheets.
3 — Managed
Automated scanning; risk-based prioritization; SLAs applied.
4 — Integrated
Feeds to ticketing and SIEM; verification of fixes.
5 — Optimized
Continuous scanning and threat-intel correlation.
  1. How to Level Up
From → To Actions
0 → 2 Select internal/external scanners; run quarterly scans.
2 → 3 Automate scheduling; assign owners and SLAs.
3 → 4 Link to ticketing (Jira, GitHub Issues); verify closure.
4 → 5 Add continuous scanning and feed results to SIEM.

  1. People / Process / Technology Enablers
    People – Security Ops Analyst, Infra Admin.
    Process – Vulnerability remediation workflow with SLA tracking.
    Technology – OpenVAS, Nessus Essentials, Wazuh, Grafana.

  2. Evidence Required
    Latest scan reports, ticket logs, remediation evidence.

  3. Metrics / KPIs
    • percentage of critical findings closed within SLA
    • average time to remediate high vulnerabilities
    • number of recurring findings across scans

  4. Low-Cost / Open-Source Options (MSME)

Purpose Tool Notes
Scanning OpenVAS / Nmap + Vulners Automated discovery and assessment.
Reporting Faraday Community Aggregate results and assign owners.
Metrics Wazuh / Grafana Visualize trend closure rates.

  1. Common Pitfalls
    Scanning without closure tracking; accepting false positives as excuses to ignore critical issues.

  2. Compliance Mapping

Standard Clauses / Notes
ISO 27001 A.8.8 (Vulnerability management).
NIST CSF 2.0 DE.CM-8 / PR.IP-12.
CERT-In 2022 Quarterly VA/PT expectation.
NIRMATA Scoring IS-Q03 ≥ Level 4 requires ticket-linked remediation verification.