SI-02 Flaw Remediation

System and Information Integrity

Low Moderate High

Description

The organization identifies, reports, and corrects information system flaws.

Supplemental Guidance

The organization identifies information systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The organization (or the software developer/vendor in the case of software developed and maintained by a vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization’s information systems before installation. Flaws discovered during security assessments, continuous monitoring, incident response activities, or information system error handling are also addressed expeditiously. Flaw remediation is incorporated into configuration management as an emergency change. NIST Special Publication 800-40, provides guidance on security patch installation and patch management. Related security controls: CA-02, CA-04, CA-07, CM-03, IR-04, SI-11.

MITRE ATT&CK Techniques (84)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 9 Execution 13 Persistence 19 Privilege Escalation 26 Defense Evasion 36 Credential Access 9 Lateral Movement 3 Collection 2 Impact 1

Show all 84 techniques grouped by tactic

Compliance Mappings

ISO 27001:2022

A.8.8

ISO 27002:2022

8.8

COBIT 2019

DSS03

CIS Controls v8

CIS 12.1CIS 14.7CIS 16.2CIS 18.3CIS 7CIS 7.1CIS 7.2CIS 7.3CIS 7.4CIS 7.7

NIST CSF 2.0

ID.RA-01ID.RA-08PR.PS-02

SOC 2 TSC

CC9.2-POF13

PCI DSS v4.0.1

11.36.36.3.3

CSA CCM v4

AIS-07IVS-04TVM-03TVM-04UEM-07

CSA AICM v1

I&S-04TVM-03TVM-04UEM-07

FINOS CCC

CCC-C10

ISO 42001:2023

A.6.2.6

NIS2 Directive

Art. 21(2)(e)Art. 21(2)(g)

MAS TRM

APRA CPS 234

Para 19-20Para 22-23

ASD Essential Eight

E8-2E8-2 ML1E8-2 ML2E8-2 ML3E8-6E8-6 ML1E8-6 ML2E8-6 ML3

BSI IT-Grundschutz

OPS.1.1.3SYS.1.1SYS.2.1

ANSSI

Hygiene.18Hygiene.33Hygiene.34SecNumCloud.13.6

FINMA Circular 2023/1

IV.A(36)IV.B.c(56)IV.B.d(59)IV.C(64)

OSFI B-13

B-13.2.4

EU GDPR

Art.32(1)(b)Art.32(1)(d)

EU DORA

Art.7(2)Art.9(4)(e)

BIO2

8.8

RBI CSF

Annex1.7ITGRCA.13

FISC Security Guidelines

FISC.O12FISC.T7

LGPD + BCB 4893

BCB.Art.3BCB.Art.6LGPD.Art.46

HKMA TM-E-1

TME1.5.4TME1.7.4

MLPS 2.0

8.1.10.38.1.10.48.1.4.4

DNB Good Practice

DNB.19.2

EU CRA

CRA.I.2aCRA.I.2cCRA.II.2CRA.II.7CRA.II.8CRA.Info.8c

SWIFT CSCF

SWIFT.2.2SWIFT.2.7

SAMA CSF

3.5

NCA ECC

2-102-3

UAE IA

CBB TM

TM-11TM-5

Qatar NIA

CBUAE

CR-7

CBE CSF

CTO-9

SA JS2

JS2-7.2JS2-8.5

CBN CSF

Part2.3Part3.3

BoG CISD

CISD-VI

POPIA

s19

BoM CTRM

3.6

IOSCO Cyber Resilience

PROT-6SA-3

CPMI-IOSCO PFMI

CG.LECG.PRPFMI.P17

FFIEC IS

II.A.2II.C.11

NYDFS 500

500.5500.8

ECB CROE

CROE.2.3.4CROE.2.8.1CROE.2.8.2

EBA ICT Guidelines

3.4.43.5(b)

SEBI CSCRF

PR.IP

BOT Cyber Resilience

Ch10.1Ch3.2

CMMC 2.0

NERC CIP

CIP-007-6

10 CFR 73.54

RG5.71-A-SI

TSA Pipeline SD

SD-2 Sec D

DOE C2M2 v2.1

THREAT

API 1164

Sec 7

IAEA NSS 17-T

Sec 5.4

PCI PTS v6

FIPS 140-3

FIPS 140-3 §7.12

CBEST

CBEST.6

TIBER-EU

TIBER.REM

ISAE 3402

Clause 4

Solvency II

DR.266EIOPA-ICT-4.8

Lloyd's Minimum Standards

MS8.11MS8.4

NAIC Insurance Data Security

FCA SYSC 13

SYSC 13.7.1SYSC 13.7.2SYSC 13.7.4

HITRUST CSF v11

09.c10.e

FDA Cybersecurity Guidance

524B-2MON-2PU-1PU-2PU-3SBOM-2SBOM-3VR-2

ISO 27799

12.518.4H.3

NHS DSPT

NDG-8.1NDG-8.2NDG-9.9

OWASP MASVS v2.1

MASVS-CODE-1MASVS-CODE-2MASVS-CODE-3

CCSS v9.0

2.01.1

MiCA

Art.62(5)

Basel SCO60

SCO60.51SCO60.65

BSSC Standards

NOS-03NOS-10GSP-08

SEC Custody (Digital Assets)

SEC-CD-07

ISO 17799 (legacy)

10.10.512.4.112.5.112.5.212.6.1

COBIT 4.1 (legacy)

None.