Куда я попал?
Вы попали в сервис, который помогает корпоративным службам безопасности строить свои рабочие процессы:
управление рисками, контроль соответствия требованиям, учет активов,
планирование и сопровождение защитных мер на всем их жизненном цикле, распределение задач и т.д.
Еще SECURITM является платформой для обмена опытом и наработками между участниками сообщества служб безопасности.
Подробнее
Еще SECURITM является платформой для обмена опытом и наработками между участниками сообщества служб безопасности.
Информационная технология. Методы и средства обеспечения безопасности. Системы менеджмента информационной безопасности. Требования - Приложение А
ГОСТ Р № ИСО/МЭК 27001-2021 от 01.01.2022
A.12.6.1
Для проведения оценки соответствия по документу войдите в систему.
Похожие требования
ГОСТ Р № 57580.1-2017 от 01.01.2018 "Безопасность финансовых (банковских) операций. Защита информации финансовых организаций. Базовый состав организационных и технических мер. Раздел 9. Требования к защите информации на этапах жизненного цикла автоматизированных систем и приложений":
ЖЦ.20
ЖЦ.20 Реализация проведения ежегодного контроля защищенности АС, включающего: - тестирование на проникновение; - анализ уязвимостей системы защиты информации АС и информационной инфраструктуры промышленной среды
ЖЦ.21
ЖЦ.21 Обеспечение оперативного устранения выявленных уязвимостей защиты информации АС, включая уязвимости прикладного ПО
ЖЦ.14
ЖЦ.14 Реализация контроля защищенности АС, включающего (по решению финансовой организации при модернизации АС проводится контроль защищенности только элементов информационной инфраструктуры, подвергнутых модернизации): - тестирование на проникновение; - анализ уязвимостей системы защиты информации АС и информационной инфраструктуры промышленной среды
Стандарт Банка России № СТО БР ИББС-1.0-2014 от 01.06.2014 "Обеспечение информационной безопасности организаций банковской системы Российской Федерации - Общие положения":
Р. 7 п. 3 п.п. 9
7.3.9. На стадии эксплуатации АБС должны быть определены, выполняться и регистрироваться процедуры:
- контроля работоспособности (функционирования, эффективности) реализованных в АБС защитных мер, в том числе контроль реализации организационных защитных мер, контроль состава и параметров настройки применяемых технических защитных мер;
- контроля отсутствия уязвимостей в оборудовании и программном обеспечении АБС;
- контроля внесения изменений в параметры настройки АБС и применяемых технических защитных мер;
- контроля необходимого обновления программного обеспечения АБС, включая программное обеспечение технических защитных мер.
CIS Critical Security Controls v8 (The 18 CIS CSC):
18.2
18.2 Perform Periodic External Penetration Tests
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
18.5
18.5 Perform Periodic Internal Penetration Tests
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box.
7.6
7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
18.1
18.1 Establish and Maintain a Penetration Testing Program
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
16.2
16.2 Establish and Maintain a Process to Accept and Address Software Vulnerabilities
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders.
7.5
7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
NIST Cybersecurity Framework (RU):
RS.MI-3
RS.MI-3: Вновь выявленные уязвимости смягчаются или документируются как принятые риски
DE.CM-8
DE.CM-8: Выполняется сканирование уязвимостей
ID.RA-1
ID.RA-1: Идентифицированы и задокументированы уязвимости активов
ID.RA-5
ID.RA-5: Угрозы, уязвимости, вероятности и воздействия используются для определения риска
PR.IP-12
PR.IP-12: Разработан и внедрен план управления уязвимостями
Приказ ФСТЭК России № 21 от 18.02.2013 "Состав и содержание мер по обеспечению безопасности персональных данных, необходимых для обеспечения каждого из уровней защищенности персональных данных":
АНЗ.1
АНЗ.1 Выявление, анализ уязвимостей информационной системы и оперативное устранение вновь выявленных уязвимостей
CIS Critical Security Controls v7.1 (SANS Top 20):
CSC 3.1
CSC 3.1 Run Automated Vulnerability Scanning Tools
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.
Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.
CSC 20.6
CSC 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be used as a starting point to guide and focus penetration testing efforts.
CSC 18.8
CSC 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group.
Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group.
CSC 3.2
CSC 3.2 Perform Authenticated Vulnerability Scanning
Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.
Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.
CSC 3.6
CSC 3.6 Compare Back-to-Back Vulnerability Scans
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.
Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.
CSC 3.7
CSC 3.7 Utilize a Risk-Rating Process
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
CSC 20.2
CSC 20.2 Conduct Regular External and Internal Penetration Tests
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully.
CSC 20.1
CSC 20.1 Establish a Penetration Testing Program
Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks.
Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks.
Приказ ФСТЭК России № 17 от 11.02.2013 "Требования о защите информации, не составляющей государственную тайну, содержащейся в государственных информационных системах":
АНЗ.1
АНЗ.1 Выявление, анализ уязвимостей информационной системы и оперативное устранение вновь выявленных уязвимостей
SWIFT Customer Security Controls Framework v2022:
2 - 2.2 Security Updates
2.2 Security Updates
2 - 2.7 Vulnerability Scanning
2.7 Vulnerability Scanning
Приказ ФСТЭК России № 31 от 14.03.2014 "Состав мер защиты информации и их базовые наборы для соответствующего класса защищенности автоматизированной системы управления":
АУД.2
АУД.2 Анализ уязвимостей и их устранение
NIST Cybersecurity Framework (EN):
RS.MI-3
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
ID.RA-5
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
PR.IP-12
PR.IP-12: A vulnerability management plan is developed and implemented
ID.RA-1
ID.RA-1: Asset vulnerabilities are identified and documented
DE.CM-8
DE.CM-8: Vulnerability scans are performed
Приказ ФСТЭК России № 239 от 25.12.2017 "Состав мер по обеспечению безопасности для значимого объекта соответствующей категории значимости":
АУД.2
АУД.2 Анализ уязвимостей и их устранение
Связанные защитные меры
Название | Дата | Влияние | ||
---|---|---|---|---|
Community
3
15
/ 26
|
Установка обновлений для ОС Linux
Ежемесячно
Вручную
Техническая
Превентивная
Компенсирующая
31.05.2022
|
31.05.2022 | 3 15 / 26 | |
Community
37
/ 27
|
Управление рисками информационной безопасности
Ежеквартально
Вручную
Организационная
Детективная
08.05.2022
|
08.05.2022 | 37 / 27 | |
Community
1
13
/ 25
|
Централизованная установка обновлений для ОС Windows через WSUS сервер
Ежедневно
Автоматически
Техническая
Превентивная
Компенсирующая
04.05.2022
|
04.05.2022 | 1 13 / 25 | |
Community
1
26
/ 34
|
Сканирование внешнего сетевого периметра на наличие уязвимостей
Еженедельно
Автоматически
Техническая
Детективная
11.02.2022
|
11.02.2022 | 1 26 / 34 | |
Community
9
/ 32
|
Проведение тестирования на проникновение
Ежеквартально
Вручную
Техническая
Детективная
02.06.2021
|
02.06.2021 | 9 / 32 |