ISO/IEC 27001 Control 8.8: Management of technical vulnerabilities

Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.

MidPoint's contribution to implementation of this control is marginal.

Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.

MidPoint has some functionalities to support policies related to vulnerability management.

Application inventory can be managed in midPoint, providing information that acts as an inventory of assets. MidPoint can manage roles and responsibilities with respect to application inventory, making sure that every application has an active owner, identifying applications without owners. Role-based access control (RBAC) can be used to make sure all roles and responsibilities are properly assigned to active users. E.g. midPoint can make sure that mail distribution list acting as public point of contact for vulnerability reporting has at least one active member at all times. Policy rules may be used to make sure applications without owners are reported in dashboards, as well responsibilities that are not properly staffed.

While midPoint cannot directly take place in vulnerability management, it provides interesting supporting capabilities for vulnerability management policies.