Systems have a continuous monitoring plan that includes: • conducting vulnerability scans for systems at least fortnightly • conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter • analysing identified vulnerabilities to determine their potential impact • implementing mitigations based on risk, effectiveness and cost.
Topic
Continuous monitoring plan
Applicable to
all
History
Priority
should
Sep 2023
Systems have a continuous monitoring plan that includes:
• conducting vulnerability scans for systems at least fortnightly
• conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter
• analysing identified vulnerabilities to determine their potential impact
• implementing mitigations based on risk, effectiveness and cost.
References to ‘security vulnerabilities’ were replaced with ‘vulnerabilities’.
Jun 2023
Systems have a continuous monitoring plan that includes:
• conducting vulnerability scans for systems at least fortnightly
• conducting vulnerability assessments and penetration tests for systems prior to deployment, including prior to deployment of significant changes, and at least annually thereafter
• analysing identified security vulnerabilities to determine their potential impact
• implementing mitigations based on risk, effectiveness and cost.
The existing control relating to the development of a continuous monitoring plan for systems was amended to reflect that vulnerability scanning activities for systems should be undertaken at least fortnightly, as per the Essential Eight Maturity Model, and that both vulnerability assessments and penetration tests should be undertaken prior to the deployment of systems, including prior to the deployment of significant changes, as per control ISM-0911 which was previously partly merged into control ISM-1163.
Mar 2023
Systems have a continuous monitoring plan that includes:
• conducting vulnerability scans for systems at least monthly
• conducting vulnerability assessments or penetration tests for systems at least annually
• analysing identified security vulnerabilities to determine their potential impact
• implementing mitigations based on risk, effectiveness and cost.
An existing control relating to continuous monitoring plans was amended such that mitigations for identified security vulnerabilities are implemented based on risk, effectiveness and cost considerations.
Dec 2021
Systems have a continuous monitoring plan that includes:
• conducting vulnerability scans for systems at least monthly
• conducting vulnerability assessments or penetration tests for systems at least annually
• analysing identified security vulnerabilities to determine their potential impact
• using a risk-based approach to prioritise the implementation of mitigations based on effectiveness and cost.
Miscellaneous changes were made to rationale and security controls throughout the publication. This included:
• A review from the Using the Information Security Manual chapter through to the Guidelines for Media chapter.
• Security controls suitable for all audiences have been identified with the ‘All’ applicability marking while additional security controls suitable for just government audiences have been identified with the O, P, S and TS applicability markings.
• Security controls suitable for specific classifications have been amended to include their classification(s) in the wording of the security controls to reduce the reliance on applicability markings to confer suitability.
• Tables in security controls have been converted into prose to allow for inclusion in the SSP annex template and the XML list of security controls.
• The use of ‘official’ and ‘highly classified’ terminology has been replaced with specific classifications to remove ambiguity.
• Security controls relating to high assurance ICT equipment have had their applicability narrowed to ‘S, TS’ reflecting that they are intended for the protection of SECRET and TOP SECRET systems and data.
May 2020
Systems have a continuous monitoring plan that includes: • conducting vulnerability assessments, vulnerability scans and penetration tests for systems at least annually throughout their life cycle to identify security vulnerabilities • analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls • using a risk-based approach to prioritise the implementation of identified mitigations.
Security control 1163 was modified to align language with security controls 0041 and 0043.
Apr 2020
A Continuous Monitoring Plan is developed and implemented that includes:
§ conducting vulnerability assessments, vulnerability scans and penetration tests for systems at least annually throughout their life cycle to identify security vulnerabilities
§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
§ using a risk-based approach to prioritise the implementation of identified mitigations.
Security control 1163 was modified to refer to a ‘Continuous Monitoring Plan’. This brings the system-specific security documentation content into line with the ‘monitor the system’ step of the Risk Management Framework. Note, management of security vulnerabilities is covered by the ‘Plan of Action and Milestones’ for the system.
Mar 2020
A vulnerability management policy is developed and implemented that includes:
§ conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities
§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
§ using a risk-based approach to prioritise the implementation of identified mitigations.
Aug 2019
A vulnerability management policy is developed and implemented that includes:
§ conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities
§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations based on effectiveness, cost and existing security controls
§ using a risk-based approach to prioritise the implementation of identified mitigations.
Security control 1163 was modified to refer to a vulnerability management policy rather than vulnerability management strategies.
Jul 2019
A vulnerability management strategy is developed and implemented that includes:
§ conducting vulnerability assessments and penetration tests for systems throughout their life cycle to identify security vulnerabilities
§ analysing identified security vulnerabilities to determine their potential impact and appropriate mitigations or treatments based on effectiveness, cost and existing security controls
§ using a risk-based approach to prioritise the implementation of identified mitigations or treatments
§ monitoring information on new or updated security vulnerabilities in operating systems, software and ICT equipment as well as other elements which may adversely impact the security of a system.
2015
Agencies should implement a vulnerability management strategy by:• conducting vulnerability assessments on systems throughout their life cycle to identifyvulnerabilities• analysing identified vulnerabilities to determine their potential impact and appropriatemitigations or treatments based on effectiveness, cost and existing security controls• using a risk–based approach to prioritise the implementation of identified mitigations ortreatments• monitoring new information on new or updated vulnerabilities in operating systems,software and devices as well as other elements which may adversely impact on the securityof a system.