One of the most common exceptions in SOC 2 reports involves the failure to remediate critical and high vulnerabilities in a timely manner. The purpose of this paper is to evaluate the importance of vulnerability management and why it is critical to addressing Common Criteria (CC) 7.1 in a SOC 2 report, To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities.
One of the key points of focus under CC7.1 is:
Conducts Vulnerability Scans – The entity conducts infrastructure and software vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after significant changes are made to the environment. Action is taken to remediate identified deficiencies in a timely manner to support the achievement of the entity’s objectives.
Most would argue that it is not possible to address CC7.1 in a SOC 2 report without: 1) conducting periodic vulnerability scans, and 2) remediating critical and high vulnerabilities in a timely manner.
As organizations continue to expand their Internet presence through increased use and operation of interconnected and complex Internet accessible systems, it is more critical than ever to rapidly remediate vulnerabilities inherent to these systems. Failure to do so could allow malicious actors to compromise networks through exploitable, externally-facing systems. Delay in resolving any security gaps will open the door for attackers to invade the network. Therefore, security teams must understand that vulnerability management does not stop with just the identification process; remediation should generally be the final and mandatory step.
Organizations face a few options when they learn about a vulnerability and the risks it poses. They can accept the risk, usually when the value of the asset is less than the cost of protecting it. A second option is mitigation, which can entail implementing external controls to the product, and relying on internal mechanisms to make it significantly more difficult to exploit a vulnerability.
In most cases, a third possibility – remediation – is the preferred course of action. However, organizations often choose not to remediate vulnerabilities, as remediation can be costly and complex.
No matter which decision organizations decide to make – be it acceptance, mitigation, or remediation – each of these paths carries its own risks and consequences. Understanding the issues that lie beneath each option is the key to success.
The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security has published some useful recommendations related to vulnerability remediation. CISA recommends the following remediation timelines:
- Critical vulnerabilities should be remediated within 15 calendar days of initial detection.
- High vulnerabilities should be remediated within 30 calendar days of initial detection.
If vulnerabilities cannot be remediated within the recommended timeframes, CISA recommends developing a remediation plan for action and coordination across the organization. The remediation plan should include:
- Vulnerability remediation constraints
- Interim mitigation actions to overcome constraints
- Final actions required to remediate vulnerability
Historically, most vulnerabilities identified by CISA are related to unsupported operating systems that cannot receive patched or upgraded (secure) software. This is largely due to the prevalence of legacy systems across all industries and sectors, some of which perform mission critical functions. The continued presence of end-of-life (EOL) systems is mostly due to the budgetary constraints inherent in replacing large amounts of EOL systems.
By some estimates, around 60% of all cybersecurity breaches are the result of an exploited vulnerability, for which a patch or mitigation was available but not yet applied. So all the other work done to secure the environment—firewall management, access controls, and various endpoint protections—is only mitigating a small portion of overall business risk.
In conclusion, an effective security vulnerability remediation process, including patching and other mitigation activities, should be a priority for all organizations. And if your organization receives a SOC 2 report, be aware that a consistently applied vulnerability management program is essential to receiving a clean SOC 2 opinion.
Thanks for reading!