Highlights of IS.016 Vulnerability Management Standard
EOTSS IS.016 Vulnerability Management Standard documents the requirements to protect, detect and recover from vulnerabilities in the technology environment. Topics include:
- Processes to identify, classify and remediate vulnerabilities across all technology environments and platforms to reduce the Commonwealth’s exposure to cyber threats
- Identify and scanning for vulnerabilities
- Reviewing publicly facing web applications
- Conducting penetration testing
- Prioritizing risks of vulnerabilities (critical, high, medium, low)
- Remediate vulnerabilities by deploying patches or making configuration changes as a mitigation strategy
- Reporting vulnerabilities and stages of mitigation
See the Enterprise Information Security Standards Self-Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments who have not adopted comparable cyber and data security standards as part of their Internal Control Plan.