SI-02 Flaw Remediation

Control: The organization identifies, reports, and corrects information system flaws.

Supplemental Guidance: The organization identifies information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The organization (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization’s information systems before installation. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling are also addressed expeditiously. Flaw remediation is incorporated into configuration management as an emergency change. NIST Special Publication 800-40, provides guidance on security patch installation and patch management. Related security controls: CA-2, CA-4, CA-7, CM-3, IR-4, SI-11.

Control Enhancements:

(1) The organization centrally manages the flaw remediation process and installs updates automatically.

(2) The organization employs automated mechanisms to periodically and upon demand determine the state of information system components with regard to flaw remediation.

Baseline: LOW SI-2 MOD SI-2 (2) HIGH SI-2 (1) (2)

Family: System And Information Integrity

Class: Operational

ISO 17799 mapping: 10.10.5, 12.4.1, 12.5.1, 12.5.2, 12.6.1

COBIT 4.1 mapping: None.

PCI-DSS v2 mapping: 6.1, 6.2, 11.2, 11.3