The end of November saw some minor updates to the official PSN Health Check (ITHC) supporting guidance. This was a minor makeover consisting of clarification on the need for scanning for outdated third party applications. This is normally performed using an authenticated vulnerability scan, which uses either client supplied credentials, or credentials obtained via exploitation and privilege escalation, to read files and registry entries on devices, and comparing installed and configured software against a database of known outdated and vulnerable applications. Once again, the 10% cross-sectional allowance for the internal aspect of the PSN health check is confirmed, although this does not apply to the external stage of the assessment.
Increasingly, poor quality health check reports are being rejected by the assessors, who are looking to check that realistic scopes, and industry standard vulnerability scoring methods are being used. As with many compliance efforts, PSN Health Checks are designed to create a minimum standard, not the defacto standard, and attention is increasingly being placed on organisations who are scoping for a quick win, as opposed to scoping for a realistic assessment.
Sec-Tec’s current PSN Health Check report acceptance rate is 100%.