Vulnerabilities and Your Risk Ranking System
PCI Requirement 11.2.1 states, “Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all ‘high risk’ vulnerabilities are resolved in accordance with the entity’s vulnerability ranking.” Remember the risk ranking system you created for PCI Requirement 6.1? This comes back into play for PCI Requirement 11.2.1. This risk ranking system gives you the ability to identify, prioritize, and address high risk vulnerabilities more quickly and reduce the likelihood that they will be exploited. The vulnerabilities that you find from vulnerability scans will also be useful information for your risk ranking system.
Vulnerability scans can be automated or manual, but they should always be performed by qualified individuals who are reasonably independent of the system components being scanned.
PCI Requirement 11.2.1 says that you have to perform quarterly vulnerability scans within your environment. These scans that are performed need to be done by somebody that has organizational independence and knows what they are doing because they have been trained on how to perform these scans. When you run these scans, it is likely that you are going to identify vulnerabilities. What we expect is that you feed that information back into PCI Requirement 6.1, which is your vulnerability identification and risk-ranking program. Where you have identified a vulnerability, you have risk-ranked it, and it is high in your environment, so we expect you to take corrective actions to fix that and address those vulnerabilities before the next scan.