Page 1

Benefits o f   e ngaging   q ualified     security  vendor    

LE Global  Services  Sdn  Bhd  


The Challenge   Banks  Have  To  Perform:   VulnerabiliBes  Assessment  And  PCI  ASV  Scanning  Annually    


Based on  PCI  DSS  v.2.0  Requirements   •  Requirement  11.2.2   –  Quarterly  vulnerability  scan  via  Approved   Scanning  Vendor  

•  Requirement 11.2.3   –  Perform  Internal  and  External  Network  scanning  


Scanning Not  Done  by  Approved   Scanning  Vendor  

Step 1.     Perform  Vulnerability   Scanning  by  Vendor  

Step 4.     Perform  Vulnerability   Scanning  by  PCI  ASV  

Step 2.     VulnerabiliBes  Analysis  

Step 5.     VulnerabiliBes  Analysis  

Step 3.  External  PenetraBon  TesBng  Report  

Step 6.  PCIDSS  ASV  Official  AUestaBon   and  Scanning  Reports  


Disadvantages •  •  •  • 

The Banks  have  to  engage  2  different  vendors  for  same  scanning.   No  cost  saving  or  discounts   Longer  Bme  frame,  lead  to  higher  resource  cost.   Scanning  reports  will  have  differences  in  terms  of:   –  –  –  – 

Forma[ng Risk  ClassificaBons   Vulnerability  Scoring  Methods   RemediaBon  Steps  

•  Eventually, both  scanning  will  have:   –  –  –  –  –  – 

No info  synchronizaBon  even  on  same  devices   DifficulBes  in  consolidaBng  reports  with  different  format   No  Quality  Assurance   Inconsistent  Terminologies  Used   Inconsistent  Risk  RaBng   Inconsistent  RemediaBon  RecommendaBon  


The SoluBon  

Consolidated Approach  


Scanning Done  By  Approved  Scanning   Vendor  

Step 3a.  External  PenetraBon  TesBng  Report  

Step 1.     Perform  Vulnerability   Scanning  

Step 2.     VulnerabiliBes  Analysis  

Step 3b.  PCIDSS  ASV  Official  AUestaBon   and  Scanning  Reports  


Advantages •  The  Banks  have  to  engage  just  1  vendor  for  both  scans.   •  Huge  cost  &  Bme  saving   –  scans  be  conducted  simultaneously    

•  Scanning reports  will  be  consistent  in  terms  of:   –  –  –  – 

Forma[ng Risk  ClassificaBons   Vulnerability  Scoring  Methods   RemediaBon  Steps  

•  Eventually, both  scanning  will  have:   –  –  –  –  –  – 

Consistent info  synchronizaBon  on  same  devices   Consistent  reports  with  different  format   Consistent  Assurance   Consistent  Terminologies  Used   Consistent  &  Unified  Risk  RaBng   Consistent  RemediaBon  RecommendaBon  


The Challenge   Banks  Have  To  Ensure  Data  Are  Protected  During   Vulnerability  Assessment  And  PenetraBon  TesBng  


ConfidenBal Data  ProtecBon   •  Vendors  who  are  ISO   27001  CerBfied   –  Enforce  data  protec-on   standard   –  Client  data  protec-on  is   part  of  mandatory   documenta-on  controls   –  Mandatory  internal   audit  ensures  proper   client  informa-on   management  

•  Vendors who  are  not   ISO  27001  CerBfied   –  No  assurances  on  data   protec-on   –  No  assurance  on   sensi-ve  client  data   management   –  No  affirma-on  on   internal  quality  control  


QuesBon:

Can We  Engage  The  Same  Security   Vendor  Annually?  


Rules of  Engagement   •  Bank  Negara  do  not  object  of  engaging  the  same   security  vendor  annually.   •  More  importantly,  consider  if  the  same  vendor:   –  able  to  provide  consistent  quality  of  support   –  able  to  demonstrate  helpful  a[tude  in  every  angle   of  engagements   –  has  solid  track  records  with  other  financial   insBtuBons   –  has  similar  contracts  signed  with  your  peers   –  has  the  resources  and  experBse  to  support  you  at  ad   hoc  situaBons  


info@le-­‐global.com

THANK YOU!  

Why use LE Global for Penetration Testing?  

Discuss about the benefits of engaging a qualified PCI Approved Scanning Vendor for Vulnerabilities Scanning and Penetration Testing.

Read more
Read more
Similar to
Popular now
Just for you