Running Vulnerability Scans After a Significant Change

What Constitutes a Significant Change? 
PCI Requirement 11.2.3 requires you to run internal and external vulnerability scans after any significant change, performed by qualified personnel. What constitutes a significant change in AWS? This could be the implementation of a new server within your environment, a new EC2 instance, the deployment of a new cluster with your environment, or a major configuration change. Anytime a significant change is made in AWS, your team should be in the habit of running a vulnerability scan to verify the change has not opened your AWS environment up to new risks. 

If your organization is looking to maintain PCI compliance, vulnerability scanning needs to be conducted after any significant change – this could be a major system, organization, or infrastructure change. AWS customers can carry out security assessments against their AWS infrastructure without prior approval for eight services. For more information, learn about vulnerability assessment and management in AWS Marketplace

When you ask yourself the question about how often you should run vulnerability scans, one of the things you have to take into account is significant change with your environment. Whether it’s an external host, internal host, or anything that has changed within your environment that can potentially affect the security of your AWS environment or your PCI cardholder data environment, you have to evaluate if that constitutes something that is significant enough to rerun a vulnerability scan. A lot of people neglect this area. 

I want to encourage you to look at what means significant to you. When you are running scans, you typically don’t incur a lot of extra charges. They are very easy to run these days. It’s not very prohibitive to run more frequent scans. So, when we’re doing an audit with a client, we will look at change tickets. We will look at the population of changes that have occurred in your environment. You might be asked the question, “Can you show me a corresponding vulnerability scan after you’ve made this change?” because if you implemented a new server within your environment, an EC2 instance, if you deployed a new cluster with your environment, if you made some configuration change – those things are significant when it comes to PCI compliance and managing your cardholder data environment. Get in the regular habit and have a policy and a procedure that supports the running of vulnerability scans, both external and internal that can mirror those significant changes that occur within your environment. If you have any questions, please contact us, today. 

Related Videos