11 — Test Security of Systems and Networks Regularly
15 requirements in the Test Security of Systems and Networks Regularly requirement
11.1.1All security policies and operational procedures that are identified in Requirement 11 are: Documented.
11.1.2Roles and responsibilities for performing activities in Requirement 11 are documented, assigned, and understood.
11.2.1Authorized and unauthorized wireless access points are managed as follows: The presence of wireless (Wi-Fi) access points is tested for, All authorized and unauthorized wireless access points are detected and identified, Testing, detection, and identification occurs at least once every three months.
11.3.1Internal vulnerability scans are performed as follows: At least once every three months.
11.3.2External vulnerability scans are performed as follows: At least once every three months.
11.4.1A penetration testing methodology is defined, documented, and implemented by the entity, and includes: Industry-accepted penetration testing approaches.
11.4.2Internal penetration testing is performed: Per the entity’s defined methodology At least once every 12 months After any significant infrastructure or application upgrade or change By a qualified internal resource or qualified external third-party Organizational independence of the tester exists (not required to be a QSA or ASV).
11.4.3External penetration testing is performed: Per the entity’s defined methodology At least once every 12 months After any significant infrastructure or application upgrade or change By a qualified internal resource or qualified external third party Organizational independence of the tester exists (not required to be a QSA or ASV).
11.4.4Exploitable vulnerabilities and security weaknesses found during penetration testing are corrected as follows: In accordance with the entity’s assessment of the risk posed by the security issue as defined in Require ment 6.
11.4.5If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: At least once every 12 months and after any changes to segmentation controls/methods Covering all segmentation controls/methods in use.
11.4.6Additional requirement for service providers only: If segmentation is used to isolate the CDE from other networks, penetration tests are performed on segmentation controls as follows: At least once every six months and after any changes to segmentation controls/methods.
11.4.7Additional requirement for third-party hosted/cloud service providers only: Third-party hosted/cloud service providers support to their customers for external penetration testing per Requirement 11.
11.5.1Intrusion-detection and/or intrusion-prevention techniques are used to detect and/or prevent intrusions into the network as follows: All traffic is monitored at the perimeter of the CDE.
11.5.2A change-detection mechanism (for example, file integrity monitoring tools) is deployed as follows: To alert personnel to unauthorized modification (including changes, additions, and deletions) of critical files To perform critical file comparisons at least once weekly.
11.6.1A change- and tamper-detection mechanism is deployed as follows: To alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the security-impacting HTTP headers and the script contents of payment pages as received by the consumer browser.