VPM — Vulnerability & Patch Management
33 controls in the Vulnerability & Patch Management domain
VPM-01Vulnerability & Patch Management Program (VPMP)
VPM-01.1Attack Surface Scope
VPM-02Vulnerability Remediation Process
VPM-03Vulnerability Ranking
VPM-03.1Vulnerability Exploitation Analysis
VPM-04Continuous Vulnerability Remediation Activities
VPM-04.1Stable Versions
VPM-04.2Flaw Remediation with Personal Data (PD)
VPM-04.3Deferred Patching Decisions
VPM-05Software & Firmware Patching
VPM-05.1Centralized Management of Flaw Remediation Processes
VPM-05.2Automated Remediation Status
VPM-05.3Time To Remediate / Benchmarks For Corrective Action
VPM-05.4Automated Software & Firmware Updates
VPM-05.5Removal of Previous Versions
VPM-05.6Pre-Deployment Patch Testing
VPM-05.7Out-of-Cycle Patching
VPM-05.8Software Patch Integrity
VPM-06Vulnerability Scanning
VPM-06.1Update Tool Capability
VPM-06.2Breadth / Depth of Coverage
VPM-06.3Privileged Access
VPM-06.4Trend Analysis
VPM-06.5Review Historical event logs
VPM-06.6External Vulnerability Assessment Scans
VPM-06.7Internal Vulnerability Assessment Scans
VPM-06.8Acceptable Discoverable Information
VPM-06.9Correlate Scanning Information
VPM-07Penetration Testing
VPM-07.1Independent Penetration Agent or Team
VPM-08Technical Surveillance Countermeasures Security
VPM-09Reviewing Vulnerability Scanner Usage
VPM-10Red Team Exercises