Vulnerability Management

The intent of this activity set is to help organizations develop requirements regarding the application and network security scanning and penetration tests offered by external security vendors. While there are a number of ways to participate in vulnerability scanning, some businesses are forced into it simply due to PCI DSS requirements. PCI DSS requires payment processors to verify their customer locations and help ensure the security of credit card transactions. Other forms of vulnerability management include monitoring hardware and software for vulnerability disclosures and patching accordingly.

Category	Sub-Category	Name	Activity
Vulnerability Management	Production Scanning	Vulnerability Scans	[The organization] conducts vulnerability scans against the production environment; scan tools are updated prior to running scans.
Vulnerability Management	Production Scanning	Vulnerability Assessment: Cardholder Data Environment	Vulnerability scans are conducted against cardholder environments [in accordance with the organization-defined frequency] or after significant change; critical vulnerability resolution is confirmed via a rescan.
Vulnerability Management	Production Scanning	Approved Scanning Vendor	[In accordance with the organization-defined frequency], [the organization] engages an Approved Scanning Vendor to conduct external vulnerability scans.
Vulnerability Management	Penetration Testing	Application Penetration Testing	[The organization] conducts penetration tests according to the service risk rating assignment.
Vulnerability Management	Penetration Testing	Penetration Testing: Cardholder Data Environment	[The organization] conducts penetration tests against cardholder data environments (CDE) and includes the following requirements: • testing covers the entire CDE perimeter and critical data systems • testing verifies that CDE perimeter segmentation is operational • testing is performed from both inside and outside the CDE network • testing validates segmentation and scope reduction controls (e.g., tokenization processes) • network layer penetration tests include components that support network functions as well as operating systems • at the application level, testing provides coverage, at a minimum, against the security testing requirements defined in "Code Security Check: Cardholder Data Environment" • testing is performed with consideration of threats verified [in accordance with the organization-defined frequency] from external alerts, directives, and advisories defined in "External Alerts and Advisories" • testing is performed with consideration of vulnerabilities reported through [the organization's] PSIRT process [in accordance with the organization-defined frequency] • risk ratings are assigned to discovered vulnerabilities, which are tracked through remediation
Vulnerability Management	Patch Management	Infrastructure Patch Management	[The organization] installs security-relevant patches, including software or firmware updates; identified end-of-life software must have a documented decommission plan in place before the software is removed from the environment.
Vulnerability Management	Malware Protection	Enterprise Antivirus	If applicable, [the organization] has managed enterprise antivirus deployments and ensures the following: • signature definitions are updated • full scans are performed [in accordance with the organization-defined frequency] and real-time scans are enabled • alerts are reviewed and resolved by authorized personnel
Vulnerability Management	Malware Protection	Enterprise Antivirus Tampering	Antivirus mechanisms cannot be disabled or altered by users unless specifically authorized by management.
Vulnerability Management	Code Security	Code Security Check	[In accordance with the organization-defined frequency], [the organization] conducts source code checks for vulnerabilities according to the service risk rating assignment.
Vulnerability Management	Code Security	Code Security Check: Cardholder Data Environment	Where applicable, security testing performed prior to releasing code into production includes the following: • code injection • buffer overflows • insecure cryptographic storage • insecure communications • improper error handling • high-risk vulnerabilities • cross-site scripting • improper access control • cross-site request forgery • broken authentication session management
Vulnerability Management	External Advisories and Inquiries	External Information Security Inquiries	[The organization] reviews information-security-related inquiries, complaints, and disputes.
Vulnerability Management	External Advisories and Inquiries	External Alerts and Advisories	[The organization] reviews alerts and advisories from management approved security forums and communicates verified threats to authorized personnel.
Vulnerability Management	Program Management	Vulnerability Remediation	[The organization] assigns a risk rating to identified vulnerabilities and prioritizes remediation of legitimate vulnerabilities according to the assigned risk.

No results found