Identified cybersecurity vulnerabilities are analysed and prioritised, and are addressed accordingly
Context and Guidance: Vulnerabilities may exist in all types of IT and OT assets, including operating systems, application software, firmware, network devices, mobile devices, IoT devices, and assets residing in the cloud. Organisations may improve vulnerability management effectiveness through analysis and prioritization. Analysis can aid prioritization in several ways, such as helping to identify the potential impact a vulnerability could have on an organisation's security posture. There are several factors important to determining the potential impact of a vulnerability. The attributes of the vulnerability—what it can do, how it is exploited, the potential effects, and the potentially affected assets—should be carefully considered. Additionally, the individual characteristics of the IT and OT environment, the cybersecurity controls in place, and externally determined impact valuation such as NIST National Vulnerability Database (NVD) Common Vulnerability Scoring System (CVSS) scores should also be considered. Based on the results of analysis, an organisation can then prioritise identified vulnerabilities for further action. Activities performed to address vulnerabilities may include implementing software, system, or firmware patches; developing and implementing operational workarounds or other mitigating controls; and developing and implementing new continuity plans or updating existing plans.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THREAT-1d, THREAT-1g, THREAT-1l.