Requirement 6.1 is my favourite PCI DSS requirement! No fancy tools required. No specialized knowledge. It can be largely executed by a person on the helpdesk. And the impact to the overall security posture organization can be huge. More than that expensive network appliance. More than that fancy SIEM. More than that overpriced vulnerability scanner.
Speaking of vulnerability scanners, save that for requirement 11 and lets not talk about it for requirement 6.1. Its something about the word vulnerability that makes everyone think about vulnerability scanners. In my experience, they are not going to identify a large number of vulnerabilities. Especially non-credentialed scans OR scans on specialized system components (VPN concentrator, load balancer, even more esoteric).
The PCI DSS v3.2.1 guidance for 6.1 says (shortened and highlighting added):
The intent of this requirement is that organizations keep up to date with new vulnerabilities that may impact their environment.
Sources for vulnerability information should be trustworthy and often include vendor websites, industry news groups, mailing list, or RSS feeds. This is not achieved by an ASV scan or internal vulnerability scan, rather this requires a process to actively monitor industry sources for vulnerability information.
So lets put our thinking caps on and see how we can fit a vulnerability identification process into the organization.
Ad below this line: