Vulnerability and patch management in the CISSP exam

A vulnerability assessment policy aims to establish controls and processes to help identify vulnerabilities within the firm's technology infrastructure and information system components that attackers can exploit to gain unauthorized access, disrupt business operations and steal or leak sensitive data. 

A patch management policy aims to identify controls and processes that will provide appropriate protection against threats that could adversely affect the security of the information system or data entrusted to the information system. Effective implementation of these controls will create a consistently configured environment that is secure against known vulnerabilities in the operating system and application software. 

The CISSP certification covers implementing and supporting patch and vulnerability management in Domain 7: Security Operations. As of April 2024, ISC2 has updated the CISSP exam to reflect current security practices and technologies, with Security Operations maintaining its 13% weight in the exam. 

For more exam tips, get our free ebook of CISSP exam tips and tricks — or watch our free one-hour CISSP exam tips course with an instructor whose students have a 95% pass rate. 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Threat monitoring process

Threat monitoring is the ongoing process of gathering information about new and emerging threats to IT assets. 

Organizations must implement these key threat-monitoring practices: 

• Enterprise security teams must gather information on current, new and emerging threats, including vendor notifications for threats, patches, system updates and security information exchanges like U.S.-CERT alerts. 
• The technologies tracked in threat monitoring should align with the organization's technology asset inventory. 
• Teams must address identified threats according to vulnerability remediation management processes. 

Vulnerability assessment

Vulnerability assessments identify and analyze vulnerabilities in technology assets at a point in time. These assessments focus on current operations, including processes, procedures and the state of technology assets. 

Organizations need a formal vulnerability management program with defined roles and responsibilities that covers: 

• Development and management of vulnerability assessment processes and procedures 
• Architecture reviews 
• Testing security controls, limitations, network connections and restrictions against applicable standards 
• Internal and external vulnerability scans at least quarterly 
  • Run internal scans after any significant network changes (new system components, topology changes, firewall rule modifications, product upgrades) 
  • Have a qualified third party conduct external vulnerability scans quarterly 
  • Internal teams can run post-change scans 
• Annual penetration testing plus testing after major infrastructure/application changes, including: 
  • Network-layer penetration tests 
  • Application-layer penetration tests 
• Follow-up actions using IT asset management data to validate and track findings and determine remediation steps 
• Address identified vulnerabilities through the remediation management process 

Configuration management

Configuration management standardizes technology asset configurations based on documented baselines developed by subject matter experts and approved by functional leadership according to applicable policies. 

Organizations must: 

• Document baseline configurations for all technology assets 
• Design baselines to comply with security requirements 
• Keep configurations current through responsible functional areas 
• Integrate secure configurations into system build processes 
• Enforce configuration standards consistently across functional areas 

All technology assets must align with their applicable baseline configuration. 

Vulnerability remediation management

Vulnerability remediation management evaluates identified vulnerabilities, assigns risk based on likelihood and impact, plans responses, tracks remediation and verifies completion. Inputs come from multiple sources, including technology risk assessments, threat monitoring and vulnerability assessments. 

Organizations must evaluate reported vulnerabilities and identify associated risks by considering: 

• Asset inventory details, including hardware specifications, software versions and system configurations 
• Likelihood of exploitation 
• Potential impact of compromise 
• Effectiveness of existing security controls 

Security teams must immediately notify stakeholders when there's reason to believe a vulnerability threatens the confidentiality, integrity or availability of production systems. 

All system components and software must have vendor-supplied security patches installed within one month of change management approval. 

Organizations must identify appropriate responses to vulnerabilities based on risk and available options. Responses should address root causes and may include: 

• Software releases: Test and deploy available fixes through change management. Use emergency change processes when urgency requires it. 
• Compensating controls: When patches aren't available or create unacceptable risk, deploy alternative protections like: 
  • Technical configuration changes 
  • Process modifications 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Vulnerability and patch: Detailed process

Identification

Organizations must implement processes to identify threats and vulnerabilities affecting critical business information and systems. This includes: 

Detection systems 

• Deploy tools that detect and prevent known attacks 
• Monitor critical files for changes 
• Analyze suspicious or unauthorized access attempts 

Penetration testing requirements 

• Annual external testing of network infrastructure and applications by independent testers 
• Annual internal testing by qualified independent or internal penetration testers 
• Testing of new systems or after significant changes before deployment 
• Re-testing to confirm remediation of high-risk vulnerabilities 

Vulnerability scanning requirements 

• Quarterly external scanning of internet-facing systems 
• Quarterly internal scanning of business-critical environments 
• Scanning after significant system changes 
• Re-scanning after addressing high-risk findings 
• Quarterly wireless scanning for WLAN cards, portable wireless devices and wireless network connections 
• Incident response procedures for unauthorized device discovery 

External threat intelligence 

• Subscribe to threat intelligence services for early warning of potential threats 
• Monitor vendor security announcements for vulnerabilities and patches 
• Regular assessment of threat intelligence relevance to business assets 

All vulnerability scanning and penetration testing requires: 

• System owner approval 
• Third-party authorization when testing managed systems 
• IT operations awareness and resource availability during testing 

Analysis

Roles and frequency

Vulnerability management analysis meetings must take place at least monthly. These meetings must include appropriate individuals to discuss all device types with outstanding vulnerabilities with a CVSS number greater than 0 or rated as 'high' or 'critical.' 

A monthly process must exist to list identified vulnerabilities mapped to specific business-critical services. 

Risk criteria

For devices storing, processing or transferring business-critical data: 

• All vulnerabilities with a rating of 'critical', 'high' or with a CVSS number greater than 4.0 must have a mitigating action assigned. 
• All other vulnerabilities must be assessed, and actions must be agreed upon based on risk. 
• Critical or high vulnerabilities must be mitigated within 3 days of identification. 
• Vulnerabilities below critical and high but with a CVSS number greater than 0 must be mitigated within 90 days or include documentation justifying the risk-based decision not to mitigate. 

For devices not storing, processing or transferring confidential data, use risk-based decisions to determine appropriate mitigating actions. 

Risk mitigation list

An updated vulnerability list must include: 

• Mitigating actions 
• Target completion dates 
• Designated owners responsible for implementing fixes 

Fix

Configuration and testing

All standard changes (non-emergency changes) must successfully go through testing in non-production environments before deployment. Testing must verify that security tools and existing patches remain effective when deploying new patches or workarounds. Enter all vulnerability mitigations into the change control system and follow change control protocols. Emergency mitigations need authorization from relevant teams before applying to production. 

Deployment

Complete vulnerability mitigation by the documented date. Notify the relevant team after successful testing. Include rollback options in the change deployment process. 

Monitoring

Re-scanning or re-testing must verify the successful remediation of high-risk vulnerabilities. Generate reports or log files after deploying patches or workarounds to confirm completion. Report all vulnerability scanning or penetration testing incidents to the organization's security team. 

The security team must monitor the vulnerability mitigation list and escalate any fixes not completed by their due dates. Testing access to confidential information requires specific testing approaches. 

External security vulnerability testing

External testing often starts with reconnaissance, gathering public information like: 

• System names 
• IP addresses 
• Operating systems 
• Technical contact details 

Initial attacks typically target common application protocols allowed through the network like: 

• FTP 
• HTTP 
• SMTP 
• POP 

Testers examine externally accessible servers for vulnerabilities that could enable access to internal systems and sensitive data. External testing also focuses on discovering access methods like wireless access points, modems and internal server portals. 

Internal security vulnerability testing

For internal testing, assessors work from inside the network as a trusted insider. They receive temporary access, often as general users with typical privileges. Based on the test goals, access could extend up to system or network administrator level. 

Testers attempt to gain additional access through privilege escalation — for example: 

• Increasing user privileges to administrator level 
• Escalating system admin rights to domain admin access 

Internal testing examines system security and configuration, including: 

• Application and service settings 
• Authentication mechanisms 
• Access controls 
• System hardening 

Earn your CISSP, guaranteed!

Get live, expert CISSP training from anywhere. Enroll now to claim your Exam Pass Guarantee!

Get Pricing

Overt/covert security vulnerability testing

Overt security vulnerability testing involves performing external and/or internal testing with the knowledge and consent of the organization's IT staff. This enables comprehensive evaluation of the network or system security posture. 

Covert security vulnerability testing, also known as black hat testing, takes an adversarial approach by performing testing without the knowledge of the organization's IT staff but with the full knowledge and permission of upper management. 

Mastering vulnerability management for CISSP 

Organizations must approach vulnerability and patch management systematically to protect against evolving threats. As covered in Domain 7 (Security Operations) of the CISSP exam, effective vulnerability management requires continuous monitoring, regular testing, structured analysis and timely remediation. 

Like success on the CISSP exam, success in vulnerability management requires both technical knowledge and business acumen. While pentesters conduct the technical assessments and system administrators deploy the patches, security managers must understand risk, allocate resources and communicate effectively with stakeholders. 

Ready to master these concepts?  

• Get the CISSP exam tips ebook for proven study strategies. 
• Download the cybersecurity salary guide to see how certification can advance your career 
• Visit Infosec’s CISSP certification hub for additional study resources and guidance. 
• Enroll in Infosec’s CISSP Boot Camp for expert-led training to prepare you for the exam.