đź’Ľ 6.1 Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking to newly discovered security vulnerabilities.
- ID:
/frameworks/pci-dss-v3.2.1/06/01
Description​
Risk rankings should be based on industry best practices as well as
consideration of potential impact. For example, criteria for ranking
vulnerabilities may include consideration of the CVSS base score, and/or
the classification by the vendor, and/or type of systems affected.
Methods for evaluating vulnerabilities and assigning risk ratings will vary
based on an organization's environment and risk-assessment strategy. Risk
rankings should, at a minimum, identify all vulnerabilities considered to be
a “high risk” to the environment. In addition to the risk ranking,
vulnerabilities may be considered “critical” if they pose an imminent threat
to the environment, impact critical systems, and/or would result in a
potential compromise if not addressed. Examples of critical systems may
include security systems, public-facing devices and systems, databases, and
other systems that store, process, or transmit cardholder data.
Similar​
- Sections
/frameworks/pci-dss-v4.0/06/03/01
- Internal
Similar Sections (Take Policies From)​
Similar Sections (Give Policies To)​
Sub Sections​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|