PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum  

Go Back   PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum > Payment Card Industry Data Security Standard Frequently Asked Questions (PCI DSS FAQ) > Maintain a Vulnerability Management Program > [PCI-DSS] Requirement 6: Develop and maintain secure systems and applications
Reload this Page [PCI-DSS] 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues.
Register FAQ Calendar Search Today's Posts Mark Forums Read

[PCI-DSS] Requirement 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor-provided security patches. All systems must have the most recently released, appropriate software patches to protect against exploitation by employees, external hackers, and viruses. Note: Appropriate software patches are those patches that have been evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For in-house developed applications, numerous vulnerabilities can be avoided by using standard system development processes and secure coding techniques.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 03-18-2007, 03:01 AM
admin's Avatar
admin admin is offline
Administrator
  
Join Date: Jul 2002
Posts: 229
Default [PCI-DSS] 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues.
[PCI-DSS] 6.2 Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues.

6.2.a Interview responsible personnel to verify that processes are implemented to identify new security vulnerabilities.

6.2.b Verify that processes to identify new security vulnerabilities include using outside sources for security vulnerability information and updating the system configuration standards reviewed in Requirement 2.2 as new vulnerability issues are found.
Reply With Quote
  #2  
Old 01-11-2010, 11:56 AM
briant97 briant97 is offline
Junior Member
  
Join Date: Jan 2010
Posts: 1
Default
What are some recommended list for meeting part of this requirement.
Last edited by briant97; 01-11-2010 at 01:12 PM.
Reply With Quote
  #3  
Old 03-16-2010, 10:41 AM
Roger Nebel Roger Nebel is offline
Moderator
  
Join Date: Mar 2007
Posts: 43
Default
The exact list you might use is going to be highly specific to your infrastructure, environment, architecture, internal resources, etc. A good starting point might be CERT and securityfocus but by no means is this comprehensive. Both of these places will refer to their own information resources and you should follow those leads. You should also study the sources used by your anti-malware vendors. There is a wealth of information available from multiple sources, web sites, rss feeds, listservs, and commercial vendors. The point is to do something to stay informed.
Reply With Quote
Reply

Bookmarks
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
[PA-DSS] 7.1 Software vendors must establish a process to identify newly discovered security vulnerabilities (e.g., subscribe to alert services freely available on the Internet) and to test their payment applications for vulnerabilities. Any underlying software or systems that are provided with or required by the payment application (e.g., web servers, 3rd-party libraries and programs) must be included in this process admin [PA-DSS] 7. Test payment applications to address vulnerabilities 0 03-18-2007 02:53 AM
[PA-DSS] 14.1.1 Addresses all requirements in this document wherever the PA-DSS Implementation Guide is referenced. admin [PA-DSS] 14. Maintain instructional documentation and training programs for customers, resellers, an 0 03-18-2007 02:53 AM
[PCI-DSS] 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. admin [PCI-DSS] Requirement 2: Do not use vendor-supplied defaults for system passwords and other security 0 03-18-2007 02:49 AM


All times are GMT -4. The time now is 04:33 AM.

Contact Us - PCI DSS FAQ - Payment Card Industry (PCI) Data Security Standard Discussion Forum - Archive - Top

All logos and trademarks in this site are property of their respective owner.
The comments are property of their posters, all the rest ©1997 - 2010 by PCIDSSFAQ.ORG, except where noted otherwise.
Powered by vBulletin, Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
PCI-DSS Forum  |  PA-DSS Forum