SECU
安全控制框架 2024
控制项模式安全控制框架(SCF)是一个全面的网络安全控制框架,包含超过1000个控制要求,覆盖隐私、网络安全、数据保护、业务连续性等多个领域。SCF旨在帮助组织满足多个法规和标准的合规要求。
版本: 2024•覆盖状态: 完整覆盖 (2478/2478)•控制项/量表/总计: 1239/1239/2478•当前展示: 29 / 1239•33 个分类
VPM-06.8Does the organization define what information is allowed to be discoverable by adversaries and take corrective actions to remediated non-compliant systems?控制项
Vulnerability And Patch Management / Acceptable Discoverable Information
存在一些机制来定义哪些信息可以被对手发现,并采取纠正措施来修复不合规的系统。
评估
评估状态:
评估备注:
VPM-01.1Does the organization define and manage the scope for its attack surface management activities?控制项
Vulnerability And Patch Management / Attack Surface Scope
存在定义和管理其攻击面管理活动范围的机制。
评估
评估状态:
评估备注:
VPM-05.2Does the organization use automated mechanisms to determine the state of system components with regard to flaw remediation?控制项
Vulnerability And Patch Management / Automated Remediation Status
存在自动化机制来确定系统组件在缺陷修复方面的状态。
评估
评估状态:
评估备注:
VPM-05.4Does the organization use automated mechanisms to install the latest stable versions of security-relevant software and firmware updates?控制项
Vulnerability And Patch Management / Automated Software and Firmware Updates
存在自动机制来安装最新稳定版本的安全相关软件和固件更新。
评估
评估状态:
评估备注:
VPM-06.2Does the organization identify the breadth and depth of coverage for vulnerability scanning that define the system components scanned and types of vulnerabilities that are checked for?控制项
Vulnerability And Patch Management / Breadth / Depth of Coverage
存在确定漏洞扫描覆盖范围的广度和深度的机制,这些机制定义了扫描的系统组件和检查的漏洞类型。
评估
评估状态:
评估备注:
VPM-05.1Does the organization centrally-manage the flaw remediation process?控制项
Vulnerability And Patch Management / Centralized Management of Flaw Remediation Processes
存在集中管理缺陷修复过程的机制。
评估
评估状态:
评估备注:
VPM-04Does the organization address new threats and vulnerabilities on an ongoing basis and ensure assets are protected against known attacks?控制项
Vulnerability And Patch Management / Continuous Vulnerability Remediation Activities
存在持续解决新威胁和漏洞并确保资产免受已知攻击的机制。
评估
评估状态:
评估备注:
VPM-06.9Does the organization use automated mechanisms to correlate the output from vulnerability scanning tools to determine the presence of multi-vulnerability/multi-hop attack vectors?控制项
Vulnerability And Patch Management / Correlate Scanning Information
存在自动化机制来关联漏洞扫描工具的输出,以确定多漏洞/多跳攻击向量的存在。
评估
评估状态:
评估备注:
VPM-06.6Does the organization perform quarterly external vulnerability scans (outside the organization's network looking inward) via a reputable vulnerability service provider, which include rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)?控制项
Vulnerability And Patch Management / External Vulnerability Assessment Scans
存在通过信誉良好的漏洞服务提供商执行季度外部漏洞扫描(在组织网络外部向内查找)的机制,其中包括重新扫描,直到获得通过结果或解决所有“高”漏洞,如通用漏洞评分系统 (CVSS) 所定义。
评估
评估状态:
评估备注:
VPM-04.2Does the organization identify and correct flaws related to the collection, usage, processing or dissemination of Personal Data (PD)?控制项
Vulnerability And Patch Management / Flaw Remediation with Personal Data (PD)
存在识别和纠正与个人数据 (PD) 收集、使用、处理或传播相关的缺陷的机制。
评估
评估状态:
评估备注:
VPM-07.1Does the organization utilize an independent assessor or penetration team to perform penetration testing?控制项
Vulnerability And Patch Management / Independent Penetration Agent or Team
存在利用独立评估员或渗透团队来执行渗透测试的机制。
评估
评估状态:
评估备注:
VPM-06.7Does the organization perform quarterly internal vulnerability scans, which includes all segments of the organization's internal network, as well as rescans until passing results are obtained or all “high” vulnerabilities are resolved, as defined by the Common Vulnerability Scoring System (CVSS)?控制项
Vulnerability And Patch Management / Internal Vulnerability Assessment Scans
存在执行季度内部漏洞扫描的机制,其中包括组织内部网络的所有部分,以及重新扫描,直到获得通过结果或解决所有“高”漏洞,如通用漏洞评分系统 (CVSS) 所定义。
评估
评估状态:
评估备注:
VPM-07Does the organization conduct penetration testing on systems and web applications?控制项
Vulnerability And Patch Management / Penetration Testing
存在对系统和 Web 应用程序进行渗透测试的机制。
评估
评估状态:
评估备注:
VPM-06.3Does the organization implement privileged access authorization for selected vulnerability scanning activities?控制项
Vulnerability And Patch Management / Privileged Access
存在对选定的漏洞扫描活动实施特权访问授权的机制。
评估
评估状态:
评估备注:
VPM-10Does the organization utilize "red team" exercises to simulate attempts by adversaries to compromise systems and applications in accordance with organization-defined rules of engagement?控制项
Vulnerability And Patch Management / Red Team Exercises
存在利用“红队”演习来模拟对手根据组织定义的交战规则破坏系统和应用程序的尝试的机制。
评估
评估状态:
评估备注:
VPM-05.5Does the organization remove old versions of software and firmware components after updated versions have been installed?控制项
Vulnerability And Patch Management / Removal of Previous Versions
安装更新版本后,存在删除旧版本软件和固件组件的机制。
评估
评估状态:
评估备注:
VPM-06.5Does the organization review historical event logs to determine if identified vulnerabilities have been previously exploited?控制项
Vulnerability And Patch Management / Review Historical event logs
存在审查历史事件日志的机制,以确定已识别的漏洞以前是否已被利用。
评估
评估状态:
评估备注:
VPM-09Does the organization monitor logs associated with scanning activities and associated administrator accounts to ensure that those activities are limited to the timeframes of legitimate scans?控制项
Vulnerability And Patch Management / Reviewing Vulnerability Scanner Usage
存在监控与扫描活动和关联管理员帐户相关的日志的机制,以确保这些活动仅限于合法扫描的时间范围内。
评估
评估状态:
评估备注:
VPM-05Does the organization conduct software patching for all deployed operating systems, applications and firmware?控制项
Vulnerability And Patch Management / Software and Firmware Patching
现有机制可以对所有已部署的操作系统、应用程序和固件进行软件修补。
评估
评估状态:
评估备注:
VPM-04.1Does the organization install the latest stable version of any software and/or security-related updates on all applicable systems?控制项
Vulnerability And Patch Management / Stable Versions
存在在所有适用系统上安装任何软件的最新稳定版本和/或安全相关更新的机制。
评估
评估状态:
评估备注:
VPM-08Does the organization utilize a technical surveillance countermeasures survey?控制项
Vulnerability And Patch Management / Technical Surveillance Countermeasures Security
存在利用技术监视对策调查的机制。
评估
评估状态:
评估备注:
VPM-05.3Does the organization track the effectiveness of remediation operations through metrics reporting?控制项
Vulnerability And Patch Management / Time To Remediate / Benchmarks For Corrective Action
存在通过指标报告跟踪修复操作有效性的机制。
评估
评估状态:
评估备注:
VPM-06.4Does the organization use automated mechanisms to compare the results of vulnerability scans over time to determine trends in system vulnerabilities?控制项
Vulnerability And Patch Management / Trend Analysis
存在自动化机制来比较一段时间内的漏洞扫描结果,以确定系统漏洞的趋势。
评估
评估状态:
评估备注:
VPM-06.1Does the organization update vulnerability scanning tools?控制项
Vulnerability And Patch Management / Update Tool Capability
存在更新漏洞扫描工具的机制。
评估
评估状态:
评估备注:
VPM-01Does the organization facilitate the implementation and monitoring of vulnerability management controls?控制项
Vulnerability And Patch Management / Vulnerability and Patch Management Program (VPMP)
存在促进漏洞管理控制的实施和监控的机制。
评估
评估状态:
评估备注:
VPM-03.1Does the organization identify, assess, prioritize and document the potential impact(s) and likelihood(s) of applicable internal and external threats exploiting known vulnerabilities?控制项
Vulnerability And Patch Management / Vulnerability Exploitation Analysis
现有机制可识别、评估、确定优先级并记录利用已知漏洞的适用内部和外部威胁的潜在影响和可能性。
评估
评估状态:
评估备注:
VPM-03Does the organization identify and assign a risk ranking to newly discovered security vulnerabilities using reputable outside sources for security vulnerability information?控制项
Vulnerability And Patch Management / Vulnerability Ranking
存在使用信誉良好的外部安全漏洞信息源来识别新发现的安全漏洞并为其分配风险排名的机制。
评估
评估状态:
评估备注:
VPM-02Does the organization ensure that vulnerabilities are properly identified, tracked and remediated?控制项
Vulnerability And Patch Management / Vulnerability Remediation Process
现有机制可确保正确识别、跟踪和修复漏洞。
评估
评估状态:
评估备注:
VPM-06Does the organization detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications?控制项
Vulnerability And Patch Management / Vulnerability Scanning
存在通过对系统和应用程序进行例行漏洞扫描来检测漏洞和配置错误的机制。
评估
评估状态:
评估备注: