by Josef Weiss
July 22, 2021
The FIFA 2022 World Cup™ has a global audience, and presents complex security concerns across a large number of entities. The State of Qatar is addressing cybersecurity and privacy needs by providing entities with the Cybersecurity Framework. The Framework contains guidelines designed to mitigate risk and track processes for all entities involved in the 2022 World Cup. This report displays vulnerability and configuration assessment information that allows entities to fulfill the Framework’s standards, guidelines, and policies.
As outlined in section 2.2.5 of the Framework, personnel must be able to display an “Understanding of entity’s services, processes and controls environments.” The IT operations team uses this report to gain an understanding of the entity’s current cyber risk status, and to provide a view of any identified risk to other stakeholders. This report contains areas of focus which map directly to different sections of the Framework, to better illustrate adherence.
Tenable.sc consolidates and evaluates vulnerability data across the enterprise, prioritizing security risks. This vulnerability consolidation and evaluation provides entities with a concise method to fulfill the requirements of the Framework. The chapters of this report are designed to assist with different areas of IT and InfoSec operations. Managers can utilize this report as a starting point and use the chapter that is related to their specific needs. The chapters provide vulnerability details ranging from patch management to Operational Technology (OT). Within each chapter the vulnerability details and affected hosts for several areas of the Framework, provide the operations team with the ability to plan and execute on a concise and effective mitigation strategy.
Tenable.sc tracks the mitigation process for vulnerability data. Entities are able to use this tracking process to display success and quantify risk mitigation efforts, and how they conform to the Framework. Within the Framework, the entity is required to demonstrate mitigation efforts and activities in addition to risk and configuration management. Tenable.sc unifies vulnerability and configuration data collected throughout the Entity, providing a comprehensive interface and detailed operations reports to communicate the security posture to team members and executives alike. This report is available in the Tenable.sc Feed, a comprehensive collection of reports, Assurance Report Cards, and assets. The report is located in the Tenable.sc Feed under the category Compliance & Configuration Assessments.
The report requirements are:
- Tenable.sc 5.15.0
- Nessus 8.11.1
Managing compliance with Qatar 2022 Cybersecurity Framework grows more complex with each newly discovered vulnerability and new requirement. The State of Qatar requires Entities and business partners to conform to the Framework. Tenable.sc enables risk managers to divert to areas needing attention and reduce the time needed to keep the auditors satisfied. To assist with compliance, Tenable.sc has the ability to monitor configuration compliance with pre-defined checks against industry standards and regulatory mandates including NIA, ISO 27000, PCI and the Qatar 2022 Cybersecurity Framework.
This report contains the following chapters:
- Executive Summary - The Executive Summary provides an overview of scan frequency and vulnerabilities over time, vulnerability trending using Tenables Vulnerability Priority Rating (VPR) , and a compliance summary of well-known controls.
- Data Protection - Data Protection focuses on preventative measures that data in motion is effectively secured to prevent data loss.
- Change and Patch Management - Change and Patch Management focuses on preventative measures that ensure any asset affecting changes are securely deployed.
- Network Security - Network Security focuses on protecting network and infrastructure systems.
- Endpoint Summary - Endpoint Security focuses on protecting all endpoints such as servers, desktops, laptops, wireless devices, mobile devices and other devices from cyber threats.
- Web Application Security Flaws - Application Security focuses on reducing risk within applications, thereby decreasing the likelihood of successful exploitation.
- Operations Technology and Security Monitoring - Operations Technology Security Monitoring focuses on mission critical systems that make up critical infrastructure operations such as water, oil, gas and electricity.