CCI-002375

Implementation Guidance

Determine if: - information about the system is discoverable. - [RA-05(04)_ODP; corrective actions to be taken if information about the system is discoverable are defined] are taken when information about the system is confirmed as discoverable.

Validation Procedures

Examine: [SELECT FROM: Procedures addressing vulnerability scanning; assessment report; penetration test results; vulnerability scanning results; risk assessment report; records of corrective actions taken; incident response records; audit records; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with vulnerability scanning and/or penetration testing responsibilities; organizational personnel with vulnerability scan analysis responsibilities; organizational personnel responsible for risk response; organizational personnel responsible for incident management and response; organizational personnel with security responsibilities]. Test: [SELECT FROM: Organizational processes for vulnerability scanning; organizational processes for risk response; organizational processes for incident management and response; mechanisms/tools supporting and/or implementing vulnerability scanning; mechanisms supporting and/or implementing risk response; mechanisms supporting and/or implementing incident management and response].