ISO/IEC 27001 Control 8.8: Management of technical vulnerabilities
Control
Information about technical vulnerabilities of information systems in use should be obtained, the organization’s exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.
Necessity of MidPoint
MidPoint's contribution to implementation of this control is marginal.
Implementation of the control is mostly outside the scope of identity governance and administration (IGA), therefore midPoint cannot provide significant advantage. However, midPoint can still provide minor supporting information and functionality.
Implementation Overview
MidPoint has some functionalities to support policies related to vulnerability management.
Implementation Details
Application inventory can be managed in midPoint, providing information that acts as an inventory of assets. MidPoint can manage roles and responsibilities with respect to application inventory, making sure that every application has an active owner, identifying applications without owners. Role-based access control (RBAC) can be used to make sure all roles and responsibilities are properly assigned to active users. E.g. midPoint can make sure that mail distribution list acting as public point of contact for vulnerability reporting has at least one active member at all times. Policy rules may be used to make sure applications without owners are reported in dashboards, as well responsibilities that are not properly staffed.
Rationale
While midPoint cannot directly take place in vulnerability management, it provides interesting supporting capabilities for vulnerability management policies.
Related Features
Related Controls
-
ISO/IEC 27001 5.2: Information security roles and responsibilities
-
ISO/IEC 27001 5.9: Inventory of information and other associated assets
-
ISO/IEC 27001 5.20: Addressing information security within supplier agreements
-
ISO/IEC 27001 5.26: Response to information security incidents
-
ISO/IEC 27001 8.19: Installation of software on operational systems