Clarifying Quarterly External Scans

man looking up approved scanning vendor

Over the years I’ve worked with many clients who seem to have a strong security and compliance program. The client provides many of the key documents required for compliance; documentation for their penetration testing, risk assessments, policies and procedures. Everything seems to be going smoothly but there’s a delay while waiting for their external Approved Scanning Vendor (ASV) scan results.

After a delay of a week or two I’ll get a call from the client. “So, I’ve put together our scans and I’ve uploaded them into our evidence repository. Unfortunately, I only have two passing scans for my external devices… Is this going to be a problem?”

Generally, the answer is a resounding “Yes.”

PCI Requirement 11.2.2 is very explicit in what is required.

  • Perform quarterly external vulnerability scans via an ASV.
  • Perform rescans as needed, until passing scans are achieved.

Missing a quarter, or two, is a significant lapse in the overall vulnerability and compliance programs for an assessed entity. The Payment Card Industry Security Standards Council’s (PCI SSC) Frequently Asked Questions (FAQ) 1087 defines quarterly as “…as close to three months apart as possible.” Scans that are greater than 90 days apart, or even longer, reduce the ability of an organization to rapidly respond to and mitigate the risks of new vulnerabilities.

man looking up approved scanning vendor

A robust scanning program, as part of vulnerability management, is a process driven requirement.

Inability to perform scans demonstrates a process failure. This could be personnel-related; maybe the person responsible for scanning was sick, injured, or left the company. Maybe the organization changed their ASV vendor. There are multiple reasons why scans may not be accomplished on-time. If it happens in your organization, it’s important to focus on what caused the lapse and scan again as soon as possible.

If we pull back the curtain we usually can determine that missing scans, or scans that are more than 90 days apart, are demonstrating a reactive process. In a reactive process the scans are managed by a single point of failure and perhaps manually scheduled each quarter. Instead of being a team responsibility with multiple responsible individuals we have one person who manages the process.

man looking up approved scanning vendor

In a mature, repeatable process external vulnerability scans would be performed automatically on a more frequent basis and by a minimum of two employees.

I recommend to my clients that they run scans every 30 days. The requirement is to demonstrate passing scans every quarter but scanning more frequently will enable the business to be proactive in remediating vulnerabilities. The upcoming scans can be used as rescans in the event of a failed scan. Delegating the responsibility to a team provides redundancy in the event of a personnel issue.

For clients who have a scanning failure, it is important they perform a root cause analysis immediately and update their vulnerability management program.

They should contact their assessor company Qualified Security Assessor (QSA) and discuss the possibility of a compensating control. The organization should identify and document what mitigating controls were in-place at the time of the missing scans that be used as part of a compensating control.

Missing a scan isn’t the end of the world, or the end of the compliance journey, but it can result in a non-compliant assessment. Focusing on building robust, repeatable processes to meet the PCI requirements reduces the risk to the environment and increases the likelihood of passing the annual assessment.

____________________________________________

SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.

Contact us today for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.

____________________________________________

qualified security assessor (QSA)
Written by Jason Likert

Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.

Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.