I would say that the question is incorrect. If you check the standard's text (I have January 2005 version) what is says is that vulnerability scanning should be done externally and internally, at least quarterly or after significant change. You can run Nessus quarterly and will be in compliance. However, it is possibly very bad idea to run once in three months. In the text there is "product upgrades" as well. So, to be save, you need scanning after each MS (or other vendors) patch applied. Is it logical suggestion from vulnerability mitigation point of view? Not really. You need an initial scan, which possibly will bring some vulnerable hosts, and final, which shows zero. However, more likely you will need several scans before you get target "zero'. DoD, for instance, requires initial scan and weekly ones until zero number of vulnerable hosts.
Mikhail Utin AIS Security [EMAIL PROTECTED] 401-832-6584 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Ledford Sent: Wednesday, March 15, 2006 10:28 PM To: [email protected] Subject: PCI Compliance I was just wondering if nessus is capable of providing reports of PCI compliance and if anyone has any tips on how to get it working. _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
