CIS Logo
tagline: Confidence in the Connected World
HomeCIS ControlsCIS Control 3: Continuous Vulnerability Management

CIS Controls™

Young men working on a computer

CIS Control 3

Continuous Vulnerability Management

Key Principle:

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Why is this CIS Control critical?

Cyber defenders must operate in a constant stream of new information: software updates, patches, security advisories, threat bulletins, etc. Understanding and managing vulnerabilities has become a continuous activity, requiring significant time, attention, and resources.

Attackers have access to the same information and can take advantage of gaps between the appearance of new knowledge and remediation. For example, when researchers report new vulnerabilities, a race starts among all parties, including: attackers (to “weaponize”, deploy an attack, exploit); vendors (to develop, deploy patches or signatures and updates), and defenders (to assess risk, regression-test patches, install).

Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised. Defenders face particular challenges in scaling remediation across an entire enterprise, and prioritizing actions with conflicting priorities, and sometimes-uncertain side effects.

Main Points:
  • Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.
  • Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.

See the full text of this CIS Control and the other 20 CIS Controls

Secure Your Organization Against the Most Common Attack Vectors

Download:

Arrow All 20 CIS Controls

Developed, validated and prioritized by a volunteer community of cybersecurity experts.