To effectively manage technical vulnerabilities, an organization keep a relevant inventory of its assets, including software vendor, names, version numbers, and deployment state. Organizations should also define roles and responsibilities for vulnerability management, identify relevant information resources, require vulnerability reporting from suppliers, and use suitable vulnerability detection tools. Procedures and capabilities should be developed to detect vulnerabilities and receive reports, and a public contact should be established for reporting issues. Analyzing technical vulnerabilities should involve analysing and verifying reports, identifying varied risks and actions, implementing software updates, and addressing high-risk systems first. Other controls may be used if updates cannot be installed, and for acquired software, automatic updates may be used if available.
Conformance1
Tools for conforming to standards, goals and processes
