Qualys Scanning for PCI Devices University of Minnesota



Similar documents
How To Use Qqsguard At The University Of Minneapolis

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

PCI Compliance. Network Scanning. Getting Started Guide

Managing Qualys Scanners

Nessus Perimeter Service User Guide (HTML5 Interface) March 18, 2014 (Revision 9)

GETTING STARTED WITH THE PCI COMPLIANCE SERVICE VERSION 2.3. May 1, 2008

QualysGuard WAS. Getting Started Guide Version 4.1. April 24, 2015

TRUSTWAVE VULNERABILITY MANAGEMENT USER GUIDE

Managed Service Solutions Catalogue. MANAGED SERVICES SOLUTIONS CATALOGUE MS Offering Overview June 2014

Security and Compliance Suite

QualysGuard Asset Management

Qualys PC/SCAP Auditor

Security and Compliance Suite Evaluator s Guide. August 11, 2015

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

IBM. Vulnerability scanning and best practices

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

rating of 5 out 5 stars

FAQ S: TRUSTWAVE TRUSTKEEPER PCI MANAGER

CLOCKWORK Training Manual and Reference: Inventory. TechnoPro Computer Solutions, Inc.

OCCS Procedure. Vulnerability Scanning and Management Procedure Reference Number: Last updated: September 6, 2011

Assets, Groups & Networks

Monitoring Inventory. Inventory Management. This chapter includes the following sections:

Tenable for CyberArk

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Elastic Detector on Amazon Web Services (AWS) User Guide v5

For paid computer support call

Knowledge based authentication (KBA)

Sample Vulnerability Management Policy

User s Guide. Skybox Risk Control Revision: 11

G-Cloud Pricing. Atos infrastructure Vulnerability Scanning (Outpost24) SaaS

Network Detective. PCI Compliance Module Using the PCI Module Without Inspector RapidFire Tools, Inc. All rights reserved.

Network Detective. Network Detective Inspector RapidFire Tools, Inc. All rights reserved Ver 3D

Vulnerability Scan Results in XML

Advanced Event Viewer Manual

Scanner Networking. User s Guide. Microtek Scanner Server (MSS) utility. Note: ScanWizard Pro's scanner networking

Intro to QualysGuard IT Risk & Asset Management. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Intro to QualysGuard IT Compliance SaaS Services. Marek Skalicky, CISM, CRISC Regional Account Manager for Central & Adriatic Eastern Europe

Virtual Office Remote Installation Guide

AUTOMATING THE 20 CRITICAL SECURITY CONTROLS

AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard

Delivering IT Security and Compliance as a Service

Novell ZENworks Asset Management

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Offline Scanner Appliance

Google Drive. Administrator's Guide

IBM Security QRadar Vulnerability Manager Version User Guide IBM

How to Get from Scans to a Vulnerability Management Program

How To Write The Jab P-Ato Vulnerability Scan Requirements Guide

PubMed My NCBI: Saving Searches & Creating Alerts

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Creating an itunes App Store account without a credit card

Chapter A5: Creating client files and attaching bank accounts

File Management Utility User Guide

Scan to Network and Scan to Network Premium. Administrator's Guide

Policy Compliance. Getting Started Guide. January 22, 2016

Vulnerability Management Isn t Simple (or, How to Make Your VM Program Great)

PineApp Surf-SeCure Quick

Tenable Network Security Support Portal. January 12, 2015 (Revision 14)

Attachment Y SaaS ITSM Demonstration and Scenarios

STATE OF NEW JERSEY IT CIRCULAR

Setting Preferences in QuickBooks

Copyright

Manage Address Book. Administrator's Guide

STARTER KIT. Infoblox DNS Firewall for FireEye

SysAid Remote Discovery Tool

Rapid Assessment Key User Manual

Pandora FMS 3.0 Quick User's Guide: Network Monitoring. Pandora FMS 3.0 Quick User's Guide

Security and Compliance Suite Rollout Guide. August 4, 2015

USING THE UPSTREAM-CONNECT WEBSITE

SCCM Client Checklist for Windows 7

IT Security & Compliance. On Time. On Budget. On Demand.

Continuous Penetration Testing

IBM Security QRadar SIEM Version MR1. Vulnerability Assessment Configuration Guide

London & Zurich Merchant Management System User Guide.

FISMA Compliance: Making the Grade

Electronic Ticket System

How to setup a network printer using HP Universal Printer Driver

*376823* Lead Export Configuration Quick Reference Guide. Configuring Lead Export. Configuring ADP CRM

Software Vulnerability Assessment

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center

Shellshock Security Patch for X86

Web Application Firewall

White Paper. Managing Risk to Sensitive Data with SecureSphere

NETFORT LANGUARDIAN MONITORING WAN CONNECTIONS. How to monitor WAN connections with NetFort LANGuardian Aisling Brennan

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

9 Working With DICOM. Configuring the DICOM Option

How To Tag Assets In A Microsoft Qoq On A Microsq.Com (For Free) On A Pc Or Macbook Or Macsoft.Com On A Macbook (For Paid) On An Ipad Or Ipad (

The PTA s new membership website database and dues reporting system

Florida Courts E-Filing Portal. E-service User Guide

Configuring Security for SMTP Traffic

CLEARPASS ONGUARD CONFIGURATION GUIDE

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Transcription:

Qualys is the vulnerability scanner that will be used to map and scan devices that are involved in credit card processing to meet the PCI-DSS quarterly internal scan and map requirement. This document provides background and responsibilities for how QualysGuard scanning, mapping and ticket remediation tracking will be used at the University of Minnesota by departments for servers and devices involved in credit card processing. Qualys maintains more extensive documentation of the product under Help on the QualysGuard Enterprise Suite menu bar. Scanner Responsibilities Follow the naming convention for Asset Groups (see Naming Conventions section). Create and maintain the list of IP addresses that should be included in the PCI list of devices that are on the University network. Include servers, desktops, printers, and other devices that are involved in credit card processing in your PCI-devices Asset Group. Discovery map your PCI subnet ranges (PCI-hostips Asset Group) at least monthly. Review the Map reports for unknown devices. Recommend scheduling daily maps. Scan all IP addresses in the PCI-devices Asset Group at least monthly. Recommend scheduling weekly scans when the devices are expected to be on-line using the PCI-hostips Asset Group. Review the scan results. o Fix and mitigate the high severity vulnerabilities flagged as PCI Failed within 30 days. Rerun the scan. o The list of hosts that were not alive during the scan is listed in the Appendix of the scan results. Schedule a follow up scan for when these devices will be powered on. Update your remediation plan/ mitigation strategy at least monthly for the open tickets created for high severity vulnerabilities. Use the Qualys Ticket Remediation to document proposed or approved remediation steps. Run PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP at least monthly to verify that all high severity vulnerabilities for PCI devices have been mitigated or resolved. Run the PCI Scan Report for Internal Scan report quarterly for all devices involved in credit card processing. For more information, see the section For the Quarterly Report. For the Quarterly Report: Compare the lists of host scanned for the current quarter to your unit s inventory list of hosts involved in credit card processing. All devices in your unit s inventory list must be scanned quarterly. Verify that the Reporting Asset Group PCI.COLLEGE.DEPT-Devices IP list has an entry (IP address) for each device that is involved in credit card processing. 04-2015 Page 1 of 13

Verify that all hosts have a scan for the current quarter. Use the Asset Search feature for Asset Group PCI.COLLEGE.DEPT-Devices. Review the last scan date column. Verify that all PCI high severity vulnerabilities have been mitigated. Use the PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP report. Run and save a copy (outside of Qualys) of the PCI Scan Report for Internal Scan to document your unit s internal scan PCI compliance. Provide a copy to the Merchant Manager and University PCI Compliance office (cmgraves@umn.edu). Naming Conventions Reporting Asset Groups: o PCI.COLLEGE.DEPT-Devices Map & Scan Asset Groups: o COLLEGE.DEPT.PCI-hostips Other asset groups should begin with: o COLLEGE.DEPT Vulnerabilities Qualys uses 3 categories for classifying vulnerabilities (confirmed, potential and information). Within the category, there are 5 levels for vulnerabilities. o Confirmed (red) Security weaknesses verified by an active test o Potential (yellow) Security weaknesses that need manual verification o Information (blue) Configuration data High Severity Vulnerabilities for PCI o Required: Fix vulnerabilities with PCI FAIL status - must have the high severity mitigated (i.e., patching/configuration, other compensating control or documented as a false positive) for reporting. o Hosts involved in credit card processing must mitigate the risk for all vulnerabilities that appear on the PCI reports. o Documentation of the mitigation plan or compensating controls for high severity vulnerabilities must be in the Qualys Ticket Remediation. Tickets for unmitigated vulnerabilities need to be documented within 30 days of scan. o For false positives, send documentation supporting your request to have it reviewed as a false positive to abuse@umn.edu with subject PCI Internal Scan False Positive Request. Include the Qualys Ticket Remediation # and the IP address of the host. University Information Security group will review your request and respond. Priorities for Other Vulnerabilities o Recommended: Review Potential 4 & 5 (yellow) and fix, if applicable o Recommended: Review Confirmed 1, 2 & 3 (red) and fix, if applicable o Recommended: Review & assess the risk with the other vulnerabilities and fix if applicable 04-2015 Page 2 of 13

Additional information on Set Up, Scans, Maps, Ticket Remediation & Reports Asset Groups (See Asset Group Image) Go to Assets > Asset Groups Create a new group from the New menu or edit an existing group from the Quick Actions menu. Use the workflow to manage the asset group and click Save. o Follow the naming conventions for Asset Groups. o IPs, list all the IP addresses or IP ranges to be included in the Asset Group. o Domain, select None domain. o Scanner Appliances, select all listed. o Business/CVSS Information: o information on this tab is optional Scans (See Scan Asset Group, Scan Host and Scheduled Scan images) Go to Scans and choose New > Scan Enter scan details and click Launch. For scheduled scans, Go to Scans > Schedules and choose New > Schedule Scan Enter task details and click Save. o There are multiple scan policies and options for scheduling scans. Here are the basics. Schedule scan or scan immediately Option Profile: U of M Initial Options (default) Scanner Appliance: All Scanners in Asset Group; Select an internal scan appliance when listing IP addresses or ranges. If not scanning an asset group, the external scanner is used instead of internal. Scan by Asset Group, Select IPs or IP Range o When the scan is completed, review the scan report and mitigate the vulnerabilities identified. Scan Reports Quarterly- PCI Scan Report for Internal Scan Go to Reports. Then go to New > Scan Report > PCI Scan Template Type in title for the report Use the pull down on Template Based to select the report format (e.g., PCI Scan Report for Internal Scan) Select Report output format (e.g, PDF) Type in the Asset Group name or use the Select feature to search and select the asset group 04-2015 Page 3 of 13

Ad-Hoc Go to Reports. Then go to New > Scan Report > Template Based o There are multiple report formats available (see Report Templates section). Here are the basics. Type in title for the report Use the pull down on Template Based to select the report format (e.g., PCI+Confirmed 4-5 Technical Report- Select Asset Group or IP) Select Report output format (e.g, PDF, csv, etc) Type in the Asset Group name or use the Select feature to search and select the asset group Ticket Remediation Go to Remediation > Tickets Select Edit from the Quick Actions menu for a single ticket in the list. Or select multiple tickets in the list and select Edit from the Actions menu. o The main remediation policy will create tickets for all confirmed 4 & 5 or PCI related vulnerabilities for the IP s in PCI-Devices Asset Group. Tickets will be assigned to the user running the scan. Deadline date for determining overdue tickets will be 30 days. 04-2015 Page 4 of 13

Report Templates o PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP Results as of the last scan Includes PCI FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report) or confirmed vulnerabilities at levels 4 & 5 Details on how to fix o PCI Scan Report for Internal Scan Results as of the last scan Includes PCI PASS and FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report). Details on how to fix o PCI Scan Report- Select Scan Results Use to run a PCI scan report for a prior period or a specific scan Results from a specific scan (includes option to include a specific IP) Includes PCI PASS and FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report). Details on how to fix o Technical Report- Select Asset Group or IP Results as of the last scan Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5) Details on how to fix Very large report o Technical Report-Select Scan Results Results from a specific scan (includes option to include a specific IP) Includes all vulnerabilities (confirmed, potential, info.) at all levels (1-5) Details on how to fix Very large report o UMN-Summary Report Results as of the last scan Includes all vulnerabilities (confirmed, potential, info) at all levels (1-5) No detail on how to fix 04-2015 Page 5 of 13

Maps (See Map Asset Group, Scheduled Map and Unknown Devices Report images) Go to Scans > Maps and choose New > Map Enter map details and click Launch. o Similar to nmap o There are multiple discovery map policies and options for scheduling maps. Here are the basics. Schedule a map or launch a map immediately Option Profile: University of Minnesota Initial Options (default) Scanner Appliance: Internal scan appliance Map by Asset Group, Select IPs or IP Range o When the map is completed, review the map report for anomalies. o To identify changes to the list of hosts that are on the network, use the Map Report-Unknown Devices Template. Go to Reports. Then go to New > Map Report > Template Based. Select Unknown Devices Report for Report Template Type in title for the report Select Report output format (e.g, PDF, csv, etc) Select the Map results to compare On the report, the status column will report if an IP address has been Added or Removed when comparing the 2 map results. If an IP address appears on both map results, the status is Active. 04-2015 Page 6 of 13

Images Asset Group Go to Assets > Asset Groups Create a new group from the New menu or edit an existing group from the Quick Actions menu. Use the workflow to manage the asset group and click Save. 04-2015 Page 7 of 13

Scan Asset Group Go to Scans and choose New > Scan Enter scan details and click Launch. Scan Host 04-2015 Page 8 of 13

Scheduled Scan Go to Scans > Schedules and choose New > Schedule Scan Enter task details and click Save. Scheduling workflow tab 04-2015 Page 9 of 13

Map an Asset Group Go to Scans > Maps and choose New > Map Enter map details and click Launch. 04-2015 Page 10 of 13

Scheduled Map Go to Scans > Schedules and choose New > Schedule Map Enter task details and click Save. Target Domains workflow tab 04-2015 Page 11 of 13

Scheduling workflow tab 04-2015 Page 12 of 13

Unknown Devices Report 04-2015 Page 13 of 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information