The Intent of assigning a risk ranking to vulnerabilities Is to?
Intent of Risk Ranking
PCI DSS Requirement 6.3.2 requires that entities assign a risk ranking to vulnerabilities to prioritize remediation efforts.
This ensures that the most critical vulnerabilities are addressed in a timely manner, reducing the risk to the CDE.
Practical Implementation
Vulnerabilities are assessed based on potential impact and likelihood of exploitation, typically using industry-standard frameworks like CVSS.
High-risk vulnerabilities may require immediate attention, while lower-priority issues are remediated per schedule.
Incorrect Options
Option A: PCI DSS does not mandate a 30-day remediation window for all vulnerabilities; remediation timelines depend on risk.
Option B: Quarterly ASV scans are still required even with risk ranking.
Option D: Installing patches quarterly does not align with the dynamic prioritization of risks.
Amber
9 days agoPete
14 days agoDiane
15 days agoOnita
1 months agoLou
1 months agoBrett
1 months agoMitsue
1 months agoMiesha
1 months agoFranchesca
28 days agoRoselle
1 months ago