COI Report – Part VII
Page
280 of
425 from the network, to identify
additional exposures and configuration weaknesses. It checks if the host’s systems and applications are hardened effectively. Host, in this context, includes operating system, database server, firewall, router/switch, virtualisation implementation, load balancer, IDS, web proxy, web server, application server, mail server and wireless devices”; and c) network security assessment as “
a process to identify and evaluate security weaknesses of the network and the network perimeter of a computer or computer system”.
814. Under the CCoP, the concept of a vulnerability assessment on a system is abroad one, requiring thorough
review of the architecture, host security and network security of the system. Against this backdrop, we turn to discuss our recommendations.
39.1.1 Vulnerability assessments must be conducted regularly and following specified events on all CII, mission-critical, and/or internet-facing systems 815. We recommend that vulnerability assessments must be conducted on all
CII, mission-critical, and/or internet-facing systems a) prior to the commissioning of the system, or any new systems connected to the system b) after any major changes have been implemented to the system, such as
adding on application modules, system upgrades and technology refresh, as well as after any system migration and c) in any event, at least annually.
