PCI Requirement 6.1 – Establish a Process to Identify Security Vulnerabilities
https://www.ispeech.org
Learn more at https://kirkpatrickprice.com/video/pci-requirement-6-1-establish-process-identify-security-vulnerabilities/
PCI Requirement 6.1 states, “Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.” The purpose of this PCI Requirement 6.1 is to ensure that your organization is up to date with new vulnerabilities that could impact your environment. Assessors need to see that you have a process in place to identify security vulnerabilities. When trying to comply with PCI Requirement 6.1, we recommend taking it in three steps: notification of security vulnerabilities, risk rank security vulnerabilities and patches, and then implement security patches.
We recommend that you subscribe to a third party for notifications of security vulnerabilities. The PCI DSS states, “Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds.” When using something like Microsoft, Oracle, or Linux, it’s important to note that they do not publicly disclose security vulnerabilities within their application until there’s a security patch. If you use something like Secunia, you could know about the security vulnerability earlier and have an opportunity to fix it, instead of leaving your system vulnerable.
Once you’ve identified a security vulnerability or a manufacturer’s patch, you need to rank that risk. The PCI DSS explains, “Classifying the risks as ‘high,’ ‘medium,’ or ‘low’ allows organizations to identify, prioritize, and address the highest risk items more quickly and reduce the likelihood that vulnerabilities posing the greatest risk will be exploited.” We recommend the Common Vulnerability Scoring System (CVSS). Vulnerabilities and patches, once identified, are given a score between 1 and 10, 1 being “informational” and 10 being “needs to be address immediately.” Most of the vulnerabilities in today’s world are published with a CVSS score. Risk ranking is incredibly important because it gives your organization the chance to consider how a vulnerability or patch would affect your environment. If the manufacturer says it’s critical or urgent security vulnerability, it’s absolutely appropriate to accept that and immediately patch for those things. However, there might already be situations where a manufacturer considers a vulnerability or patch low, but once you’ve risk ranked it within your environment, you might realize it’s actually urgent or high.
The PCI DSS requires that when you have identified a critical or urgent security patch, it needs to be implemented within an appropriate period of time (most likely 30 days). An assessor will need to examine your vulnerability program, your policies and procedures, the sources that notify you of security patches, the security patches on your system and applications, then compare all of that to your current patch level to discover if any additional patches need to be installed.
Stay Connected
Twitter: https://twitter.com/KPAudit
LinkedIn: https://www.linkedin.com/company/kirkpatrickprice-llc
Facebook: https://www.facebook.com/kirkpatrickprice/
More Free Resources
Blog: https://kirkpatrickprice.com/blog/
Webinars: https://kirkpatrickprice.com/webinars/
Videos: https://kirkpatrickprice.com/video/
White Papers: https://kirkpatrickprice.com/white-papers/
About Us
KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.
For more about KirkpatrickPrice: https://kirkpatrickprice.com/
Contact us today: 800-770-2701 https://kirkpatrickprice.com/contact/
2017-10-10 14:52:06
source
Gloss