Adam Brand, Senior Manager - PCI QSA, Protiviti
Too many organizations have their administrators running on the Patching Wheel of Death. PCI DSS says all vendor critical patches must be installed within 30 days, right? Wrong. Looking more closely at the PCI standard shows that it actually mandates a risk-based approach to patching.
In this presentation, an experienced PCI QSA discusses how organizations that patch frequently and rely solely on vulnerability scanner or vendor recommendations are actually less PCI compliant. The wasted time spent on unnecessary patching could be better spent on more important ongoing compliance activities and long term fixes. An alternative approach is presented, showing how even applying simple contextual criteria when evaluating patches (in accordance with PCI DSS recommendations) can eliminate over 50% of monthly patch installations.