Exploitable information system weaknesses can be identified by vulnerability analyses and inform assessments and controls selection.

]]> This section covers information on conducting vulnerability assessments on systems as part of the suite of good IT governance activities.

]]> It is important that normal change management processes are followed where changes are necessary in order to address security risks identified in a vulnerability analysis.

]]> Vulnerabilities may be unintentionally introduced and new vulnerabilities are constantly identified, presenting ongoing risks to information systems security.

]]> While agencies are encouraged to monitor the public domain for information related to vulnerabilities that could affect their systems, they should not remain complacent if no specific vulnerabilities relating to deployed products are disclosed.

]]> In some cases, vulnerabilities can be introduced as a result of poor information security practices or as an unintended consequence of activities within an agency. As such, even if no new public domain vulnerabilities in deployed products have been disclosed, there is still value to be gained from regular vulnerability analysis activities.

]]> Furthermore, monitoring vulnerabilities, conducting analysis and being aware of industry and product changes and advances, including NZISM requirements, provides an awareness of other changes which may adversely impact the security risk profile of the agency’s systems.

]]> Agencies SHOULD implement a vulnerability analysis strategy by:

  • monitoring public domain information about new vulnerabilities in operating systems and application software;
  • considering the use of automated tools to perform vulnerability assessments on systems in a controlled manner;
  • running manual checks against system configurations to ensure that only allowed services are active and that disallowed services are prevented; 
  • using security checklists for operating systems and common applications; and
  • examining any significant incidents on the agency’s systems.
]]> A baseline or known point of origin is the basis of any comparison and allows measurement of changes and improvements when further information security monitoring activities are conducted.

]]> Agencies SHOULD conduct vulnerability assessments in order to establish a baseline. This SHOULD be done:

  • before a system is first used;
  • after any significant incident;
  • after a significant change to the system;
  • after changes to standards, policies and guidelines; 
  • when specified by an ITSM or system owner.
]]> Vulnerabilities may occur as a result of poorly designed or implemented information security practices, accidental activities or malicious activities, and not just as the result of a technical issue.

]]> Agencies SHOULD analyse and treat all vulnerabilities and subsequent security risks to their systems identified during a vulnerability assessment.

]]>