Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tracking CNBV Annex 72 KRI Compliance

by Cesar Navas
July 9, 2020

This Assurance Report Card (ARC) pulls together several of the key grouping based on assets type and risk levels to help the CISO understand the current state of the Vulnerability Management program. 

The National Banking and Securities Commission (CNBV) Annex 72 is a collection of 30 Key Risk Indicators (KRI) that establish compliance standards for financial institutions operating in Mexico. The KRIs cover several topics such as secure management, vulnerability management, anti-malware and obsolete or outdated software.  Tenable.sc provides passive and active detection methods to correlate vulnerability data to align with said KRIs. All financial institutions in Mexico must be prepared to divulge all KRIs to CNBV auditors when requested.

 

This ARC provides the CISO with an easy to understand state of their environment. The security policies provide the percentages and system counts by using Dynamic Asset Lists to group assets together for a comparative analysis. The first six policy statements relate to Secure Management and are directly tied to KRI0003, KRI0004, KRI0025, KRI0028, KRI0029, and KRI0030. By tracking, showing, and grouping the failed audit results by asset type (Workstations, Servers, etc) the CISO is able to meet the CNBVs requirements for the related KRIs and measure the organization’s compliance.

As required by CNBV’s Annex 72, financial institution should maintain counts of critical and high vulnerabilities, and track antivirus software status. Policy statements 7 - 13 provide the CISO the current status of critical and high vulnerabilities, and the status of antivirus throughout the network. These policy statements relate to KRI0010, KRI0011, KRI0014, KRI0015, KRI0016, KRI0019-22. Policy statements 14 – 17 report on the status of unsupported installed software and hosts with outdated operating systems. This group of policy statements satisfy the following KRIs: KRI0008, KRI0018, KRI0024, KRI0026, and KRI0027.

This ARC is available in the Tenable.sc feed, which is a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc feed under the Executive category. The ARC requirements are as follows:

  • Tenable.sc 5.12.0
  • Nessus 8.7.1
  • Compliance Data

This ARC provides the organization with a clear and simplified method to identify and establish compliance according to Annex 72 by CNBV. Tenable.sc enable the CISO to Analyze data and identify the non-compliant KRI’s. Through this process the CISO is able to complete the Fix and Measuring steps of the Cyber Exposure Lifecycle. Tenable.sc is the On-prem solution for understanding the whole picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.

This ARC includes the following policy statements:

1. Secure Management: Fewer than 10% of network device audits do not meet CIS Benchmark standards - This policy statement identifies the percentage of network device audits that failed CIS Benchmark standards. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 10% of compliance plugins. This matches up with KRI0003.

2. Secure Management: fewer than 10% of server audits do not meet CIS Benchmark standards - This policy statement identifies the percentage of network device audits that failed CIS Benchmark standards. Any percentage higher than 10% should be investigated and fixed. Compliance for this policy is fewer than 10% of compliance plugins. This matches up with KRI0028.

3. Secure Management: Less than 5% of application audits do not meet CIS Benchmark standards - This policy statement identifies the percentage of Application audits that failed CIS Benchmark standards. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 5% of compliance plugins. This matches up with KRI0025.

4. Secure Management: Less than 5% of servers are missing patches that have been available over 30 days - This policy statement identifies the percentage of servers that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 5% of servers. This matches up with KRI0004.

5. Secure Management: Less than 3% of workstations are missing patches that have been available over 30 days - This policy statement identifies the percentage of workstations that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 3% of workstations. This matches up with KRI0029.

6. Secure Management: Less than 3% of databases are missing patches that have been available over 30 days - This policy statement identifies the percentage of databases that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 3% of databases. This matches up with KRI0030.

7. Vulnerability/Antimalware: No systems with critical (CVSS) vulnerabilities - This policy statement identifies any vulns with a CVSS Score of 9-10. Compliance for this policy is No Systems Matching the Policy. This matches up with KRI0011.

8. Vulnerability/Antimalware: Less than 3% of IT hosts have External Connections - This policy statement identifies IT hosts that have any external connections. Compliance for this policy is less than 3% of hosts. This matches up with KRI0015.

9. Vulnerability/Antimalware: No systems with critical (VPR) vulnerabilities - This policy statement identifies any vulnerabilities with a VPR Score of 9-10. Compliance for this policy is No Systems Matching the Policy. This matches up with KRI0016.

10. Vulnerability/Antimalware: Less than 6% of servers don’t have antimalware - This policy statement identifies the percentage of servers that don’t have any detected antimalware. Compliance for this policy is less than 6% of servers. This matches up with KRI0019.

 

11. Vulnerability/Antimalware: Less than 6% of servers have outdated antimalware - This policy statement identifies the percentage of servers that have an outdated antimalware. Compliance for this policy is less than 6% of servers. This matches up with KRI0020.

 

12. Vulnerability/Antimalware: Less than 8% of Workstations don’t have antimalware - This policy statement identifies the percentage of workstations that don’t have any detected antimalware. Compliance for this policy is less than 8% of servers. This matches up with KRI0019.

13. Vulnerability/Antimalware: Less than 8% of Workstations have outdated antimalware - This policy statement identifies the percentage of workstations that have an outdated antimalware. Compliance for this policy is less than 8% of servers. This matches up with KRI0022.

 

14. Obsolete/Unsupported: Less than 5% of Network devices have unsupported software versions - This policy statement identifies the percentage of network devices that have unsupported software versions. Compliance for this policy is less than 5% of network devices. This matches up with KRI0008.

15. Obsolete/Unsupported: Less than 5% of IT hosts have unsupported versions - This policy statement identifies the percentage of IT hosts that have unsupported software versions. Compliance for this policy is less than 5% of IT Hosts. This matches up with KRI00018.

16. Obsolete/Unsupported: Less than 10% of servers have outdated operating system version - This policy statement identifies the percentage of servers that have outdated operating systems versions. Compliance for this policy is less than 10% of servers. This matches up with KRI0024.

 

17.

 Obsolete/Unsupported: Less than 10% of databases have outdated operating system version - This policy statement identifies the percentage of databases that have outdated operating systems version. Compliance for this policy is less than 10% of databases. This matches up with KRI0026.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training