How-to Instructions

Qualys Internal Scans for PCI DSS

Qualys Vulnerability Management (VM) is the vulnerability scanner used to map and scan systems and devices that are in-scope for the PCI-DSS internal vulnerability scan and map requirement. Items in-scope include any system or device which processes, stores, transmits, or has the ability to impact the security of cardholder data.

This document provides responsibilities and instructions on how Qualys VM scanning, mapping and ticket remediation tracking is used at the University of Minnesota by units for PCI-DSS internal vulnerability scans and maps.

Unit Responsibilities

  • Follow the naming convention for Asset Groups (see Naming Conventions section).
  • Create and maintain the list of IP addresses of of systems and devices that are in-scope and on the University network in your PCI.COLLEGE.DEPT-Devices asset group.  Include servers, workstations, terminals, printers, network infrastructure, and other devices.
  • Discovery map your PCI subnet ranges (COLLEGE.DEPT.PCI-hostips asset group) at least monthly. Recommend scheduling daily or weekly maps.
    • Review the Map reports for unknown devices.
    • Remove the unknown devices from the network or verify that they are in your PCI-devices Asset Group.
  • Scan all IP addresses in the PCI.COLLEGE.DEPT-Devices asset group at least monthly.  Recommend scheduling weekly scans when the devices are expected to be on-line using the PCI-hostips Asset Group.
    • Review the scan results.
      • Fix and mitigate the high severity vulnerabilities flagged as PCI Failed within 30 days.  Rerun the scan.
      • Fix and mitigate the other vulnerabilities on the report.
      • Schedule a follow up scan for IP addresses that were not alive during the scan for when these devices are on-line.  See the Appendix of the scan results report.
  • Update your remediation plan/ mitigation strategy at least monthly for the open tickets created for high severity including PCI Failed vulnerabilities.  Use the Qualys Ticket Remediation to document proposed or approved remediation steps.
  • Run reports at least monthly.
    • Use the Report Template: PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP to verify that all high severity and PCI Failed vulnerabilities have been mitigated or resolved.
    • Use the Report Template: PCI Scan Report for Internal Scan-Select Host for documenting the completion of the internal vulnerabilty scan. See the section For the Monthly or Quarterly Report.

For the Monthly or Quarterly Report

  • Compare the lists of IP addresses scanned for the current quarter to your unit’s inventory list of systems and devices that are in-scope. Use Asset Search on PCI.COLLEGE.DEPT-Devices asset group- lists IP addresses that responded to ICMP ping.
    • Add new IP addresses to your PCI.COLLEGE.DEPT-Devices asset group and schedule a scan.
    • Remove IP addresses for systems that retired or decommissioned.
  • Verify that the Reporting Asset Group PCI.COLLEGE.DEPT-Devices asset group has an entry (IP address) for each device that is in-scope.
  • Verify that all IP addresses in PCI.COLLEGE.DEPT-Devices asset group have a scan for the current month or quarter.  Modify the Asset Search to identify IP addresses not scanned within the last 30 or 90 days for PCI.COLLEGE.DEPT-Devices asset group. Review the last scan date column.
    • Remove IP addresses for systems that no longer meet the criteria for Critical Systems asset group or are retired or decommissioned.
    • For others, schedule a vulnerability scan.
  • Verify that all PCI high severity vulnerabilities have been mitigated.  Run report using the Report Template: PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP.
    • For vulnerabilities listed:
      • Mitigate the risk and run vulnerability scan.
      • Document the remediation plan by creating a Qualys remediation ticket if the vulnerability requires more time to mitigate the risk.
      • For false positives:
        • Create an ignored vulnerability remediation ticket and include support documentation.
        • Send documentation supporting your request to have it reviewed as a false positive to University Information Security at abuse@umn.edu with subject PCI Internal Scan False Positive Request.  Include the Qualys Ticket Remediation # and the IP address of the host.  University Information Security group will review your request and respond.
      • See High Severity Vulnerabilities for PCI section for more detail
  • Run and save a copy (outside of Qualys Portal) of the report using the Report Template: PCI Scan Report for Internal Scan-Select Host with PCI.COLLEGE.DEPT-Devices asset group or COLLEGE.DEPT.PCI-hostips asset group to document your unit’s compliance with the PCI DSS internal vulnerability scan.  Provide a copy to the Merchant Manager and University PCI Compliance office (cmgraves@umn.edu).
    • For vulnerabilities flagged as PCI Failed that will not be resolved in 12 weeks from first detected, contact Corey Graves (pmtcard@umn.edu) to document reasons and a timeline for resolution.

High Severity Vulnerabilities for PCI

  • Required: Fix vulnerabilities with PCI FAIL status - must have the high severity mitigated (i.e., patching/configuration, other compensating control or documented as a false positive) for reporting.
  • Systems and devices in-scope must mitigate the risk for all vulnerabilities that appear on the PCI reports.
  • Documentation of the mitigation plan or compensating controls for high severity vulnerabilities must be in the Qualys Ticket Remediation.  Tickets for unmitigated vulnerabilities need to be documented within 30 days of scan.
  • For false positives, send documentation supporting your request to have it reviewed as a false positive to University Information Security at abuse@umn.edu with subject PCI Internal Scan False Positive Request.  Include the Qualys Ticket Remediation # and the IP address of the host.  University Information Security group will review your request and respond.

Naming Conventions

  • Reporting Asset Groups:

PCI.COLLEGE.DEPT-Devices

  • Map & Scan Asset Groups:

COLLEGE.DEPT.PCI-hostips

  • Other asset groups should begin with:

COLLEGE.DEPT

More In-Depth

For additional instructions on how to use Qualys VM for scans, maps, ticket remediation, asset groups and reports, see Qualys VM for Technical Users.

Qualys maintains extensive documentation for each tab (i.e., Scans, Reports, Remediation) of the product under Help on the Qualys menu bar. Below are instructions to get you started.

Scans

There are multiple scan option profiles and features for running a scan, including scheduling or launching a scan immediately.

Scans tab in the Qualys portal.

Go to Scans and choose New -> Scan
Enter scan details and click Launch.

Scan details:

  • Title
  • Option Profile: Initial Options for University of Minnesota (default)
  • Scanner Appliance:
    • All Scanners in Asset Group (distributes the scan between the internal scan appliances on the University network)
    • Build my list (distributes the scan between the internal scan appliances on the University network)
    • Single scan appliance
  • Choose Target Hosts
    • Assets Groups: PCI.COLLEGE.DEPT-Devices or COLLEGE.DEPT.PCI-hostips
    • IP/Ranges
    • Exclude IPs/Ranges
  • Notification when scan is finished (optional)

Cancel or pause scan in the Qualys portal.

Results from scan are in the Qualys portal.

  • View report under Scans tab
  • Use Reports tab to create additional reports using the report templates
  • Asset Search under Assets tab

Ticket Remediation

The main remediation policy will create tickets for all confirmed 4 & 5 or PCI related vulnerabilities for the IP’s in PCI-Devices Asset Group.

  • Tickets will be assigned to the user running the scan.
  • Deadline date for determining overdue tickets is 30 days.

Reports & Report Templates

Schedule a report or launch on-demand using the various report templates.

Reports tab in the Qualys portal.

Choose New > Scan Report > PCI Scan Template

  • Report Template: PCI FAIL+Confirmed 4-5 Technical Report- Select Asset Group or IP
    • Results as of the last scan
    • Includes PCI FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report) or confirmed vulnerabilities at levels 4 & 5
    • Details on how to fix
  • Report Template: PCI Scan Report for Internal Scan- Select Host
    • Results as of the last scan
    • Includes PCI PASS and FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report).
    • Details on how to fix

  • Report Template:PCI Scan Report- Select Scan Results
    • Use to run a PCI scan report for a prior period or a specific scan
    • Results from a specific scan (includes option to include a specific IP)
    • Includes PCI PASS and FAIL status for each vulnerability (PCI org. determines which vulnerabilities to include in this report).
    • Details on how to fix

Schedules for Scans, Maps and Reports

Under the respective tabs in the Qualys portal, select Schedules tab.

Scheduling details:

  • Start date and time
  • Duration (optional) for scans and maps
  • Frequency
  • Notifications
  • Change schedule status (deactivate or reactivate)

For Reports, use the Notifications

  • Email to U PCI Compliance Office- Corey Graves
  • Subject Line: PCI (your unit)
  • Custom Message:

Review the report and remediate the vulnerabilities marked as PCI Severity HIGH.  The other vulnerabilities should also be remediated.

Per PCI DSS, all HIGH vulnerabilities need to be addressed in a timely manner and rescans performed to verify these vulnerabilities have been resolved.  If HIGH vulnerabilities will not be resolved in the next 12 weeks,

University Information Security coordinates the external vulnerability scan for systems and network devices that are in scope for the credit card data enviironment (CDE). These scans meet the Payment Card Industry (PCI) Scanning (PDF) requirement.

For questions, contact University Information Security.

Content Last Reviewed: June 2017 by University Information Security