>From PCI-DSS 3.2 https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss :
Section 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: * Center for Internet Security (CIS) * International Organization for Standardization (ISO) * SysAdmin Audit Network Security (SANS) Institute * National Institute of Standards Technology (NIST) Trevor On Wed, Jun 28, 2017 at 6:51 PM, Shawn Wells <[email protected]> wrote: > > > On 6/28/17 9:48 AM, Trevor Vaughan wrote: > > > > My reading of PCI-DSS indicates that it is supposed to be stacked on > > top of an additional known standard. So, for full compliance, you'll > > need to scan against PCI-DSS here and then pick which of the other > > baseline standards you want to follow and run that one as well. > > > > You should be able to put together a custom SCAP scenario to do all of > > the appropriate scans at once but keeping them separate is generally > > easier so that you don't have to munge with anything upstream. > > Do you have a pointer for the need for additional standards? The PCI-DSS > docs call out specific controls they want to see (e.g. PCI-DSS 8.2.3 - 7 > char alpha numeric passwords)... haven't come across the layering > concept before. > > (I have very little experience with PCI-DSS and can learn from the pointer) > _______________________________________________ > scap-security-guide mailing list -- scap-security-guide@lists. > fedorahosted.org > To unsubscribe send an email to scap-security-guide-leave@ > lists.fedorahosted.org > -- Trevor Vaughan Vice President, Onyx Point, Inc (410) 541-6699 x788 -- This account not approved for unencrypted proprietary information --
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
