Control 3.11.3

★What This Means in Plain English

Discovered vulnerabilities must be fixed based on their risk level. Critical vulnerabilities need immediate attention, while lower-risk issues can be scheduled for regular patching cycles. You need a process for prioritizing and tracking remediation.

✓How Petronella Implements This Control

Petronella Technology Group implements this control through:

• Risk-based vulnerability remediation SLAs: Critical (48 hours), High (7 days), Medium (30 days), Low (90 days)
• Patch management process aligned with vulnerability scan findings
• Microsoft WSUS and Intune deploying patches within SLA timeframes
• Compensating controls documented when immediate remediation is not feasible
• ComplianceArmor tracking vulnerability remediation status against SLA targets

🔎Assessment Guidance

Assessors will review vulnerability remediation timelines against defined SLAs, verify that critical and high vulnerabilities are prioritized, check that compensating controls exist for unpatched vulnerabilities, and confirm that remediation is tracked to closure.

⚠Common Implementation Gaps

• No defined remediation timelines or SLAs
• Critical vulnerabilities left unpatched for months
• No tracking of vulnerability remediation progress
• Patches applied without prioritization based on risk
• No compensating controls for vulnerabilities that cannot be immediately patched

⇄Cross-Framework Mapping