One requirement in particular, PCI Requirement PCI Requirement There are two conditions as to whether or not PCI Requirement If both of these apply to you, all segmentation controls that are in place for the purpose of PCI scope reduction must be tested every 6 months or after any changes to segmentation controls or methods. Think of your CDE as the center of a circle, with a protective, second circle surrounding it. This second circle is your supporting environment. This could include domain controllers, patch management systems, network and log monitoring systems and other similar devices that perform critical functions for systems located within the CDE.
For any CCW, it is a problem because you need to test all of the controls you are using to compensate for not being able to comply with a requirement and prove they are functioning as designed. In a lot of cases, those controls are going to be new controls and will take time to implement and then test. As a QSA, I would really like to help you. But as the old adage goes, poor planning on your part does not create an emergency on my part. Unfortunately, clients never see it that way when they are trying to hit a deadline, but it is still true.
Recently, it was adapted to require both a vulnerability scan and a pen test. Pen tests must be performed at least once annually and every six months for service providers. Examine the results from the most recent penetration test to verify that:.