1

My organization is going through a PCI-DSS compliance process. As part of that, we're contracting out our external and internal vulnerability scans.

The contractor is asking for admin access to our servers so they can verify that all our software and operating systems have been fully patched to the latest versions. To me, this sounds out of bounds for a vulnerability scan. But I'm also not super familiar with PCI requirements. Is this a standard part of vulnerability scanning as far as PCI is concerned?

AlexLostDba
  • 13
  • 2
  • There are many different levels of PCI compliance depending on your business needs. Can you clarify exactly what level of compliance you are trying to achieve? While we can certainly give general answers, if you want an answer more specific to PCI compliance we need to know exactly what level of compliance you are trying to reach. – Conor Mancone Sep 19 '19 at 19:17
  • Because of our parent organization's size, I think we're considered level 2. Our scope matches SAQ A-EP – AlexLostDba Sep 19 '19 at 19:30
  • Not a duplicate but related: https://security.stackexchange.com/q/172148/149676 – Conor Mancone Sep 20 '19 at 01:46

1 Answers1

3

Is this a standard part of vulnerability scanning as far as PCI is concerned?

No, it's unusual, and having worked with 4-5 different auditors, I've never been asked for that.

It's much more common for the auditor to request certain evidence - either the auditor 'rides shotgun' while you gather the evidence, or they trust you to gather the evidence - from a statistically significant sample of hosts.

First of all, there's the responsibility issue. If you give them admin credentials, and then they do anything wrong while poking around with your servers, and cause downtime or damage, that's a big problem. A good auditor will be even more interested in avoiding that than you are!

But secondly, and more importantly, let's see what SAQ A-EP is asking them to do:

Table 6.2 from PCI DSS SAQ A-EP

For patching, the expected testing is to "Review policies and procedures". For critical patches it adds "Examine system components" and "Compare list of security patches installed to recent vendor patch lists". In my experience these have always been satisfied by providing the installed patch list to the auditor. The more stringent auditors I've dealt with required me to gather that evidence in front of them to prove its provenance.

I have had auditors who asked me to run an information gathering script on a sample of hosts - which we did, after examining the script, and running it on non-production hosts first to make sure it didn't cause problems. But, again, they had no interest in running it themselves, and didn't ask for any access to the servers.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198