| Testing Procedure | How Sheriff CSM Delivers | Sheriff CSM Instructions | Sheriff CSM Documentation |
| 6.2.b For a sample of system components and related software, compare the list of security patches installed on each system to the most recent vendor security-patch list, to verify the following: • That applicable critical vendor-supplied security patches are installed within one month of release. • All applicable vendor-supplied security patches are installed within an appropriate time frame (for example, within three months). | The Vulnerability Scan in Sheriff CSM can inventory patches and report those that are missing. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option. Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results | ||
| 6.4.5.3.b For custom code changes, verify that all updates are tested for compliance with PCI DSS Requirement 6.5 before being deployed into production. | The Vulnerability Scan in Sheriff CSM provides Web application testing tools. | Create a custom scan profile, and in the "Autoenable plugins option", select the "Autoenable by family" option.Then enable the following checks in the scanning profile for the target host:
| Creating a Custom Scan Profile |
| Run a Vulnerability Scan using the custom scan profile that was created. | Performing Vulnerability Scans | ||
| Export successful scan results and identify findings to determine if system is configured correctly. | Viewing the Scan Results |