2 followers Follow

Questions/comments on Mapping

Hi There,

I have some questions/concerns over some of the mappings for some of the controls in the UCF...

For instance PCI requirement 6.1 is mapped to UCF controls

12135 - Subscribe to a vulnerability intelligence service - yes, the words say this, 

06446 - Establish and maintain risk assessment procedures - which in no way matches any other requirement in the control

11940 - Rank discovered vulnerabilities - which is under perform vulnerability scans, not checking outside sources, so this is the wrong control, which raises questions on UCF11857 - shouldn't this be under UCF control 0885 - Establish and Maintain a system preventative maintenance program, which strangely is the intent of the PCI requirement 6.1, even though the words may not match...


For PCI requirement 6.2 you have the control mapped to 

07032 - Deploy software patches - The words are there, but there are some key pieces missing.  This should maybe sit at a higher level, say 00896 - Establish and Maintain a patch management program, which is hanging awkwardly between two controls dealing with changes...  Maybe this requirement should also live under 0885, as patching is a main part of preventative maintenance...

My 2cents...  Though it is frustrating trying to tie like controls together in some semblance of order when your control list is making it more difficult!

Jodi Church

Official comment


The AD In Depth report shows how the citations are broken down into mandates. There are only two mandates associated with this citation, not three like you mentioned. I am going off of version 3.2.  The first mandate is to "assign a risk ranking to the discovered vulnerabilities." which would map to control 11940 (Rank discovered vulnerabilities.) The second mandate is "Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information." which is mapped to control 12135 (Subscribe to a threat intelligence service to receive notification of emerging threats.)  These are the correct mappings for what the citation says.  I am not sure where you got the third mandate from.  As for the placement, you would conduct a vulnerability scan in order to identify vulnerabilities and then rank those. This has nothing to do with checking with outside sources. That is a completely different mandate.

Control 07032 sits under 00896, because installing patches is a part of the patch management program. It cannot sit at the same level as that, then there would not be a hierarchy. We put patching under the change management process. although it could possibly be with preventative maintenance.

We are currently in the process of conducting a review of our entire hierarchy. While looking at the placement of controls, we will take your comments into consideration.

Thank you.


Damaris Iglesias

Please sign in to leave a comment.

1 comment