Nucleus to PCI ASV Executive Report Mapping

  • Updated
Follow

This article will tell you all the pieces of a PCI ASV report and where that information comes from in Nucleus.

We recommend reading the PCI ASV Reports support document first if you have not already. Many of these fields are populated based on the actions you take within Nucleus. 

Executive Report Fields

Scan Customer Information

This comes from the client's organization information from Step 1 of the PCI report workflow. Change this by editing the Organization Information for that client. 

Approved Scanning Vendor Information

This comes from the Master Org Information from Step 1 of the PCI Report Workflow. Edit this by editing your organization's details. 

Scan Status

  • Date Scan Completed - Calculated automatically based on the latest scan date for each in-scope asset. The earliest latest scan date is used
  • Scan Expiration Date - Automatically calculated to be 90 days after the "Date Scan Completed" Field
  • Compliance Status - Marked as failed if any in-scope assets have a medium severity vulnerability or higher present
  • Scan Report Type - Static field
  • Number of Unique in-scope components scanned - Automatically calculated based on vuln scan results
  • Number of identified failing vulnerabilities - Automatically calculated based on vuln scan results
  • Out of Scope # of Components - Calculated based on the number of assets in the Nucleus project with the "Compliance Scope" attribute marked as "No".
  • Scan Customer Attestation - Pre-Filled out paragraph which populates its fields based on the Organization data from step 1 of the PCI workflow
  • ASV Attestation - Pre-filled out paragraph that populates based on the Master Organization data from Step 1 of the PCI workflow

Part 1 Scan Information

Populated automatically based on Org Data.

  • Component Compliance Summary - List of assets and their compliance status based on whether or not the asset has a medium severity vuln or higher. Automatically calculated based on the latest vulnerability findings (includes changes made by assessors)
  • Vulnerabilities Noted for Each Component - List of each component and all the vulnerabilities that affect that component
    • Component - The asset affected by the vulnerability
    • Vulnerabilities noted - Each vulnerability found on the asset
    • Severity Level - Automatically pulled from the Nucleus project
    • CVSS Score - Pulled from the Nucleus project (if CVSS Score exists)
    • Compliance Status - All Failed for that vulnerability unless a status change has been made by the assessor when doing the vulnerability analysis (False Positive would change this field to a pass, for example)
    • Exceptions - This is populated from the status, and comments on each finding for an asset in Nucleus. The vulnerability details page is where the assessor does this analysis, and those changes show up here. 
  • Special Notes By IP Address - This is where the assessor adds custom findings to the assessment. This is populated from the vulnerability list in Nucleus based on findings which are PCI enabled (refer to step 4 of the PCI workflow for more information).
    • Component - The asset affected by the vulnerability
    • Special Note - This is the name of the custom finding which was added to an asset in Step 4 of the PCI workflow.
    • Item Noted - This is the Port on which the Custom Finding affects the asset
    • Scan Customer Description - Populated from the comments on the custom findings
  • Special Notes - Full Text - Any PCI-enabled custom findings which showed up on an asset will show up here with the full description. The Description of the custom finding will populate in this area.
  • Scope Submitted by Scan Customer for Discovery - This list is populated based on all the assets in the project. You can see this list on the "Assets > All Assets" page. 
  • In-Scope Components - This list is populated based on the assets marked as Compliance Scope > Yes on the "All Assets" page.
  • Out of Scope Components -  This list is populated based on the assets marked as Compliance Scope > No on the "All Assets" page.

 

Those are all the relevant fields in the PCI Executive report. If you have questions, please submit requests to your Nucleus support representative!

Comments

0 comments

Please sign in to leave a comment.