by Cesar Navas
July 9, 2020
This Assurance Report Card (ARC) pulls together several of the key grouping based on assets type and risk levels to help the CISO understand the current state of the Vulnerability Management program.
This ARC provides the CISO with an easy to understand state of their environment. The security policies provide the percentages and system counts by using Dynamic Asset Lists to group assets together for a comparative analysis. The first six policy statements relate to Secure Management and are directly tied to KRI0003, KRI0004, KRI0025, KRI0028, KRI0029, and KRI0030. By tracking, showing, and grouping the failed audit results by asset type (Workstations, Servers, etc) the CISO is able to meet the CNBVs requirements for the related KRIs and measure the organization’s compliance.
As required by CNBV’s Annex 72, financial institution should maintain counts of critical and high vulnerabilities, and track antivirus software status. Policy statements 7 - 13 provide the CISO the current status of critical and high vulnerabilities, and the status of antivirus throughout the network. These policy statements relate to KRI0010, KRI0011, KRI0014, KRI0015, KRI0016, KRI0019-22. Policy statements 14 – 17 report on the status of unsupported installed software and hosts with outdated operating systems. This group of policy statements satisfy the following KRIs: KRI0008, KRI0018, KRI0024, KRI0026, and KRI0027.
This ARC is available in the Tenable.sc feed, which is a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc feed under the Executive category. The ARC requirements are as follows:
- Tenable.sc 5.12.0
- Nessus 8.7.1
- Compliance Data
This ARC provides the organization with a clear and simplified method to identify and establish compliance according to Annex 72 by CNBV. Tenable.sc enable the CISO to Analyze data and identify the non-compliant KRI’s. Through this process the CISO is able to complete the Fix and Measuring steps of the Cyber Exposure Lifecycle. Tenable.sc is the On-prem solution for understanding the whole picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.
This ARC includes the following policy statements:
1. Secure Management: Fewer than 10% of network device audits do not meet CIS Benchmark standards - This policy statement identifies the percentage of network device audits that failed CIS Benchmark standards. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 10% of compliance plugins. This matches up with KRI0003.
2. Secure Management: fewer than 10% of server audits do not meet CIS Benchmark standards - This policy statement identifies the percentage of network device audits that failed CIS Benchmark standards. Any percentage higher than 10% should be investigated and fixed. Compliance for this policy is fewer than 10% of compliance plugins. This matches up with KRI0028.
3. Secure Management:
4. Secure Management: Less than 5% of servers are missing patches that have been available over 30 days - This policy statement identifies the percentage of servers that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 5% of servers. This matches up with KRI0004.
5. Secure Management: Less than 3% of workstations are missing patches that have been available over 30 days - This policy statement identifies the percentage of workstations that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 3% of workstations. This matches up with KRI0029.
6. Secure Management: Less than 3% of databases are missing patches that have been available over 30 days - This policy statement identifies the percentage of databases that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 3% of databases. This matches up with KRI0030.
7. Vulnerability/Antimalware: No systems with critical (CVSS) vulnerabilities - This policy statement identifies any vulns with a CVSS Score of 9-10. Compliance for this policy is No Systems Matching the Policy. This matches up with KRI0011.
8. Vulnerability/Antimalware: Less than 3% of IT hosts have External Connections - This policy statement identifies IT hosts that have any external connections. Compliance for this policy is less than 3% of hosts. This matches up with KRI0015.
9. Vulnerability/Antimalware: No systems with critical (VPR) vulnerabilities - This policy statement identifies any vulnerabilities with a VPR Score of 9-10. Compliance for this policy is No Systems Matching the Policy. This matches up with KRI0016.
10. Vulnerability/Antimalware: Less than 6% of servers don’t have antimalware - This policy statement identifies the percentage of servers that don’t have any detected antimalware. Compliance for this policy is less than 6% of servers. This matches up with KRI0019.
11. Vulnerability/Antimalware: Less than 6% of servers have outdated antimalware - This policy statement identifies the percentage of servers that have an outdated antimalware. Compliance for this policy is less than 6% of servers. This matches up with KRI0020.
12. Vulnerability/Antimalware: Less than 8% of Workstations don’t have antimalware - This policy statement identifies the percentage of workstations that don’t have any detected antimalware. Compliance for this policy is less than 8% of servers. This matches up with KRI0019.
13. Vulnerability/Antimalware: Less than 8% of Workstations have outdated antimalware - This policy statement identifies the percentage of workstations that have an outdated antimalware. Compliance for this policy is less than 8% of servers. This matches up with KRI0022.
14. Obsolete/Unsupported: Less than 5% of Network devices have unsupported software versions - This policy statement identifies the percentage of network devices that have unsupported software versions. Compliance for this policy is less than 5% of network devices. This matches up with KRI0008.
15. Obsolete/Unsupported: Less than 5% of IT hosts have unsupported versions - This policy statement identifies the percentage of IT hosts that have unsupported software versions. Compliance for this policy is less than 5% of IT Hosts. This matches up with KRI00018.
16. Obsolete/Unsupported: Less than 10% of servers have outdated operating system version - This policy statement identifies the percentage of servers that have outdated operating systems versions. Compliance for this policy is less than 10% of servers. This matches up with KRI0024.