Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tracking CNBV Annex 72 KRI Compliance

by Cesar Navas
July 9, 2020

Tracking CNBV Annex 72 KRI Compliance

This Assurance Report Card (ARC) pulls together several of the key grouping based on assets type and risk levels to help the CISO understand the current state of the Vulnerability Management program. 

The National Banking and Securities Commission (CNBV) Annex 72 is a collection of 30 Key Risk Indicators (KRI) that establish compliance standards for financial institutions operating in Mexico. The KRIs cover several topics such as secure management, vulnerability management, anti-malware and obsolete or outdated software.  Tenable.sc provides passive and active detection methods to correlate vulnerability data to align with said KRIs. All financial institutions in Mexico must be prepared to divulge all KRIs to CNBV auditors when requested.

 

This ARC provides the CISO with an easy to understand state of their environment. The security policies provide the percentages and system counts by using Dynamic Asset Lists to group assets together for a comparative analysis. The first six policy statements relate to Secure Management and are directly tied to KRI0003, KRI0004, KRI0025, KRI0028, KRI0029, and KRI0030. By tracking, showing, and grouping the failed audit results by asset type (Workstations, Servers, etc) the CISO is able to meet the CNBVs requirements for the related KRIs and measure the organization’s compliance.

As required by CNBV’s Annex 72, financial institution should maintain counts of critical and high vulnerabilities, and track antivirus software status. Policy statements 7 - 13 provide the CISO the current status of critical and high vulnerabilities, and the status of antivirus throughout the network. These policy statements relate to KRI0010, KRI0011, KRI0014, KRI0015, KRI0016, KRI0019-22. Policy statements 14 – 17 report on the status of unsupported installed software and hosts with outdated operating systems. This group of policy statements satisfy the following KRIs: KRI0008, KRI0018, KRI0024, KRI0026, and KRI0027.

This ARC is available in the Tenable.sc feed, which is a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc feed under the Executive category. The ARC requirements are as follows:

  • Tenable.sc 5.12.0
  • Nessus 8.7.1
  • Compliance Data

This ARC provides the organization with a clear and simplified method to identify and establish compliance according to Annex 72 by CNBV. Tenable.sc enable the CISO to Analyze data and identify the non-compliant KRI’s. Through this process the CISO is able to complete the Fix and Measuring steps of the Cyber Exposure Lifecycle. Tenable.sc is the On-prem solution for understanding the whole picture of the network, while keeping the data under the organization’s control. Built on leading Nessus technology, Tenable.sc discovers unknown assets and vulnerabilities, and monitors unexpected network changes before they turn into breaches.

This ARC includes the following policy statements:

1. Secure Management: Fewer than 10% of network device audits do not meet CIS Benchmark standards - This policy statement identifies the percentage of network device audits that failed CIS Benchmark standards. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 10% of compliance plugins. This matches up with KRI0003.

2. Secure Management: fewer than 10% of server audits do not meet CIS Benchmark standards - This policy statement identifies the percentage of network device audits that failed CIS Benchmark standards. Any percentage higher than 10% should be investigated and fixed. Compliance for this policy is fewer than 10% of compliance plugins. This matches up with KRI0028.

3. Secure Management: Less than 5% of application audits do not meet CIS Benchmark standards - This policy statement identifies the percentage of Application audits that failed CIS Benchmark standards. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 5% of compliance plugins. This matches up with KRI0025.

4. Secure Management: Less than 5% of servers are missing patches that have been available over 30 days - This policy statement identifies the percentage of servers that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 5% of servers. This matches up with KRI0004.

5. Secure Management: Less than 3% of workstations are missing patches that have been available over 30 days - This policy statement identifies the percentage of workstations that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 3% of workstations. This matches up with KRI0029.

6. Secure Management: Less than 3% of databases are missing patches that have been available over 30 days - This policy statement identifies the percentage of databases that are missing security patches which have been available for over 30 days. Any percentage higher than 0 should be investigated and fixed. Compliance for this policy is fewer than 3% of databases. This matches up with KRI0030.

7. Vulnerability/Antimalware: No systems with critical (CVSS) vulnerabilities - This policy statement identifies any vulns with a CVSS Score of 9-10. Compliance for this policy is No Systems Matching the Policy. This matches up with KRI0011.

8. Vulnerability/Antimalware: Less than 3% of IT hosts have External Connections - This policy statement identifies IT hosts that have any external connections. Compliance for this policy is less than 3% of hosts. This matches up with KRI0015.

9. Vulnerability/Antimalware: No systems with critical (VPR) vulnerabilities - This policy statement identifies any vulnerabilities with a VPR Score of 9-10. Compliance for this policy is No Systems Matching the Policy. This matches up with KRI0016.

10. Vulnerability/Antimalware: Less than 6% of servers don’t have antimalware - This policy statement identifies the percentage of servers that don’t have any detected antimalware. Compliance for this policy is less than 6% of servers. This matches up with KRI0019.

 

11. Vulnerability/Antimalware: Less than 6% of servers have outdated antimalware - This policy statement identifies the percentage of servers that have an outdated antimalware. Compliance for this policy is less than 6% of servers. This matches up with KRI0020.

 

12. Vulnerability/Antimalware: Less than 8% of Workstations don’t have antimalware - This policy statement identifies the percentage of workstations that don’t have any detected antimalware. Compliance for this policy is less than 8% of servers. This matches up with KRI0019.

13. Vulnerability/Antimalware: Less than 8% of Workstations have outdated antimalware - This policy statement identifies the percentage of workstations that have an outdated antimalware. Compliance for this policy is less than 8% of servers. This matches up with KRI0022.

 

14. Obsolete/Unsupported: Less than 5% of Network devices have unsupported software versions - This policy statement identifies the percentage of network devices that have unsupported software versions. Compliance for this policy is less than 5% of network devices. This matches up with KRI0008.

15. Obsolete/Unsupported: Less than 5% of IT hosts have unsupported versions - This policy statement identifies the percentage of IT hosts that have unsupported software versions. Compliance for this policy is less than 5% of IT Hosts. This matches up with KRI00018.

16. Obsolete/Unsupported: Less than 10% of servers have outdated operating system version - This policy statement identifies the percentage of servers that have outdated operating systems versions. Compliance for this policy is less than 10% of servers. This matches up with KRI0024.

 

17.

 Obsolete/Unsupported: Less than 10% of databases have outdated operating system version - This policy statement identifies the percentage of databases that have outdated operating systems version. Compliance for this policy is less than 10% of databases. This matches up with KRI0026.

Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.