"Most audits that I went through, including PCI, required the organization to define their risk tolerance in a security policy and then the org needed to adhere to it. At my prior job, we had a Vulnerability Management policy and we embedded the Kenna risk scores in it and defined an SLA for certain scores. If we did not do that then we would have to follow whatever the CVSS requirement was by the regulator. Audits actually became much easier with Kenna because using the risk based methodology is better in the long run."
- Katie Conners, Kenna CSE and former Fortune 500 Vulnerability Program Manager
Many customers approach PCI compliance believing that the PCI guide provides a set of hard and fast rules, but in reality they are recommendations which offer a starting point. Using the Cisco Vulnerability Management scoring methodology for PCI Compliance will help you meet your compliance obligations more quickly and efficiently.
From the PCI guide:
“All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS. The PCI DSS assessment should verify the PA-DSS validated payment application is properly configured and securely implemented per PCI DSS requirements. If the payment application has undergone any customization, a more in-depth review will be required during the PCI DSS assessment, as the application may no longer be representative of the version that was validated to PA-DSS.”
https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v3.1.pdf?agreement=true&time=1554397087115
The first thing to keep in mind is that PCI compliance is asset-based, not vulnerability-based, meaning it is focused on remediating the vulnerabilities found on assets which fall under the PCI purview. Therefore, the first step in meeting PCI compliance is determining which assets are in scope. Next, as a company, you must adopt a remediation policy that will satisfy auditors. The PCI guide uses the CVSS scoring system as one basis for building remediation policies. It suggests that scores of CVSS 4 and above are considered a PCI “fail” and require fixing, but customers have the choice to create a policy that uses a different scoring methodology and this is where the Cisco Vulnerability Management scoring methodology will greatly help out.
Cisco Vulnerability Management uses realtime intelligence to predict the likelihood of exploitation and with this data, helps you prioritize vulnerabilities that are actually risky. CVSS only measures severity and as a result, there are many more vulnerabilities with a CVSS 2 score of 4+ than there are in the same range of vulnerabilities using the Cisco Vulnerability Management score. Cisco Vulnerability Management uses a 100 point scale so you can compare the difference in your own platform by checking the vulnerability count for CVSS 4-10 and then checking the count based on the Cisco Vulnerability Management score of 40-100. There will be even more vulnerabilities to remediate if you use CVSS 3 (see "CVSS3: When Every Vulnerability Appears To Be High Priority").
Customers can and do implement remediation policies using Cisco Vulnerability Management scoring. However, the phrase "PCI Compliance" should be reserved for PCI Qualified Security Assessors (QSA). Cisco can provide guidance on how to use Cisco Vulnerability Management for PCI compliance, but Ciscois not in a position to guarantee compliance as that depends on your organization's policy and actions. Cisco Vulnerability Management lives in PCI DSS Requirement #6 and there are many requirements that need to be met in order to receive a clean Report On Compliance (ROC). Customers choosing to use the Cisco Vulnerability Management scoring methodology for PCI compliance will need to follow the steps below and document their decision. This will become supporting evidence for answers to a QSA around your chosen risk methodology, vulnerability scoring and risk tolerance.
- Determine which assets are in scope
- are they sufficiently segregated or do you have a flat network?
- Decide on the risk methodology you will use and create a documented and approved policy
- Will you use Cisco Vulnerability Management score? What is the lowest Cisco Vulnerability Management score you will require fixing to be compliant?
- Will you stick with CVSS score? Reporting and Top Fixes in Cisco Vulnerability Management will not function with this methodology because it is based on the Cisco Vulnerability Management score, but you can still group the assets in scope for PCI.
- Identify PCI assets in Cisco Vulnerability Management with tags from your scanning or asset management tool.
- Create a risk meter in Cisco Vulnerability Management for those assets based on how you identify them
- Require patching based off of your risk score methodology (what is the lowest score you require fixing?)
- Create SLA rules to assist with enforcing the patching policy in line with PCI remediation guidelines.
Comments
Please sign in to leave a comment.