How banks use Qualys to meet regulatory requirements (PCI DSS, ISO 27001, NBU)

In today's financial world, regulatory compliance is not only a legal requirement but also a vital part of protecting a banking institution's reputation, customer trust, and overall cyber resilience. Given the growing number of cyber threats, the expansion of digital services, and mounting regulatory pressure, banks must implement robust IT risk management strategies. Against this backdrop, tools such as Qualys deserve special attention. Qualys is a platform that allows for the practical implementation of vulnerability monitoring, automated system scanning, auditing, and compliance with security standards. Banking cybersecurity requires a proactive approach to risk management.

Overview of PCI DSS, ISO 27001 and NBU regulations

All financial institutions in Ukraine must comply with a number of regulations setting out requirements for information security, cyber risk mitigation, access control and continuous monitoring. The most important of these are the international standards PCI DSS and ISO 27001, as well as the National Bank of Ukraine's regulations (in particular Resolutions No. 95 and No. 178).

PCI DSS: protection of payment card data

PCI DSS (Payment Card Industry Data Security Standard) is an industry security standard that is mandatory for all organisations that store, process or transmit payment card data. Its main goal is to prevent the compromise of payment data.

In the updated version 4.0, the standard focuses on:

1. Authentication Vulnerability scanning (internal and external).
2. A risk-based approach to determining the frequency of testing and implementing security measures.
3. Classification of assets to ensure proper control depending on the level of risk.
4. Monitoring file integrity and logging changes to critical systems.
5. Managing privileged accounts and ensuring password complexity.
6. Developing secure software, including vulnerability assessments for customised solutions.

In general, the PCI DSS standard requires banks to develop security infrastructures based on continuous monitoring, transparent access to data, and systematic risk management.

ISO 27001 is an information security management system

ISO/IEC 27001 is an international standard that sets out the requirements for designing, implementing, maintaining and continuously improving an information security management system (ISMS). It provides a universal framework for implementing policies, processes, and technical controls to ensure the integrity, confidentiality, and availability of information.

Key requirements of ISO 27001:

1. Analyse information risks and determine appropriate control measures.
2. Grant access to information assets based on the principle of least privilege.
3. Manage incidents and respond rapidly.
4. Control changes to systems, settings and infrastructure.
5. Continuous security monitoring through audits, testing and automated tools.
6. Supplier evaluation and control over the processing of confidential information by third parties.
7. Regular internal reviews of security measures and compliance with policies.

ISO 27001's distinctive feature is its strategic approach to information security, integrating technical solutions with corporate policies, legal aspects, and management processes.

NBU Resolutions No. 95 and No. 78 set out the requirements for Ukrainian banks

In Ukraine, the NBU is the key regulator that sets cybersecurity requirements for the banking system. Resolution No. 95, 'On Approval of the Regulation on Organisation of Measures to Ensure Information Security in the Banking System of Ukraine', and Resolution No. 178, 'On Approval of the Regulation on Organisation of Cyber Defence in the Banking System of Ukraine and Amendments to the Regulation on Identification of Critical Infrastructure Objects in the Banking System of Ukraine', are binding on all licensed banks. The NBU requires cybersecurity to be systematically integrated into a bank's risk management and digital infrastructure.

The main provisions of these documents include:

1. Ensuring the cyber resilience of the banking infrastructure.
2. Identifying those responsible for IT security and appointing a separate security unit.
3. Information security events are logged, stored, and their integrity is ensured.
4. Vulnerability management, including regular scanning, risk prioritisation and patch management.
5. Information security risk assessment, categorisation and documentation.
6. Taking an inventory of IT assets and considering the importance of each asset.
7. Periodic auditing of security systems and preparation for NBU inspections.
8. Developing backup and incident response policies.

The NBU's regulatory requirements are specially tailored to the Ukrainian market. They take into account current threats and focus on the practical implementation of security measures in banks of various sizes.

The common goal of all these standards and regulations is to strengthen the protection of confidential data, reduce cyber risks in the banking sector, and ensure transparent security controls. In order to meet these requirements, organisations must implement comprehensive solutions that cover the technical and procedural aspects of IT security.

What is Qualys, and how does it help banks?

The Enterprise TruRisk Platform is an integrated, cloud-based platform that provides comprehensive cyber risk management across an organisation's entire IT infrastructure. It enables you to measure, communicate and remediate risks based on data from your entire attack perimeter and the business context of your assets.

1. Risk measurement. The platform creates a single, updated register of all IT assets, taking into account their importance and vulnerabilities. TruRisk aggregates risk data from a variety of sources, including information about vulnerabilities and configuration errors, as well as the detection of outdated software or missing agents. This provides a comprehensive view of cyber risk from both inside and outside the corporate environment.
2. Risk communication. The system provides CISOs with dynamic dashboards for visualising and analysing risks in a business context, as well as automated reports for individual departments and integration with the CMDB. This enables security and IT teams to synchronise their priorities and identify critical issues affecting the business promptly.
3. Risk elimination. Thanks to its risk prioritisation mechanisms based on business impact, the platform enables you to eliminate critical vulnerabilities with maximum efficiency. By using adaptive patching, automated workflows and intelligent prioritisation, an organisation can reduce the number of critical risks by 85% and cut incident resolution time by 60%.

Platform capabilities:

• Risk-based vulnerability management.
• Asset inventory based on business importance.
• Monitoring of policies and compliance against over 100 international and industry standards.
• Integration with other security solutions provides a comprehensive risk overview.
• Automate audit processes and be ready for inspections at any time.

The platform provides centralised control over cyber risks and helps coordinate actions between different teams, creating conditions for proactive security management in real time.

The platform combines several modules:

Qualys Vulnerability Management, Detection and Response (VMDR). VMDR is a modern solution for assessing, prioritising and remediating cyber risks across the entire digital infrastructure. The system provides:

• Accurate risk measurement based on real-world threat context using information from over 25 up-to-date cyber threat sources.
• Identify all assets, including those that traditional tools may overlook, to help you spot hidden vulnerabilities before attackers exploit them.
• Prioritise vulnerabilities by criticality using a risk assessment that considers business context and MITRE ATT&CK® compliance.
• Automated response through integrated patching scripts, ticketing in ITSM systems (e.g. ServiceNow or Jira) or other threat remediation mechanisms.
• Comprehensive reporting provides management with a clear picture of the current security posture and risk mitigation dynamics.

This solution enables you to scan your environment, manage risks and identify and eliminate critical vulnerabilities before they cause incidents.

Qualys Policy Compliance is a centralised solution that assesses the compliance of IT infrastructure configurations with international standards and regulations such as PCI DSS 4.0, ISO/IEC 27001, GDPR, HIPAA, DORA, FINRA, NIST and CCPA. The system enables you to automate the verification of security settings, detect deviations from approved policies, and mitigate the risks associated with misconfigured assets. Main features:

• Automated configuration assessment: checks operating system (OS) settings, network devices, databases and applications against over 20,000 benchmarks.
• Audit readiness: Supports over 900 preconfigured policies and over 100 regulatory requirements, accelerating audit preparation.
• Interactive policy creation allows you to edit or create custom policies in the web interface without programming knowledge.
• Analytics and reporting: build dynamic dashboards, track compliance across assets and technologies, and generate reports for different company roles.
• Exception management: control exceptions through a documented approval process to ensure transparency and compliance during audits.
• Improved security: Increased MITRE ATT&CK® coverage to 86%, with improved IT infrastructure hardening at almost 80%.
• Integration with vulnerability management systems combines technical compliance with an organisation's overall cyber risk profile.

This module helps businesses to maintain an ongoing state of compliance by enabling them to quickly detect policy violations and resolve critical configuration errors before they escalate into serious incidents. It also facilitates effective communication of compliance levels within the organisation and to auditors.

IT Asset Management is a comprehensive module that provides complete inventory, categorisation and control of all IT assets, wherever they are located — in the cloud, data centres, mobile devices, containers, OT or IoT environments. Key features:

• Continuous, real-time asset discovery: Automatically scan and detect known and unknown devices connecting to the network using agents, scanners, and passive monitoring.
• Centralised asset registry: Provides a single source of reliable information for IT, security and compliance teams, eliminating duplication, discrepancies and inventory errors.
• Automatic data normalisation: Converts raw data into standardised formats with unified manufacturer, model and software names.
• In-depth asset metadata collects detailed information about hardware, installed software, firmware versions, licences, software lifecycle, open ports, running services, and so on.
• Powerful search and filtering: the ability to instantly search for assets using any parameter (for example, 'all Windows 10 laptops in the Boston office').
• Custom tagging allows you to create a flexible structure of categories and labels to manage large amounts of assets.
• It is a fully cloud-based solution that is easy to deploy and supports millions of assets worldwide.
• Identify blind spots: identify up to 60% of unknown or inventoried devices that are not covered by current security or compliance programmes.
• Prepare for expansion by integrating with the CMDB and CyberSecurity Asset Management module to assess the security and compliance status of each asset.

This module gives organisations complete visibility of their entire IT landscape. It eliminates blind spots and reduces the risks associated with unknown assets. It also helps organisations build a strong foundation for cybersecurity and regulatory compliance programmes.

Patch Management is a module that can be used to centrally detect, evaluate, prioritise and automatically install security updates (patches) for all major operating systems: Windows, Linux and macOS. Main features:

• Process automation: Automatically detect and deploy available updates as they become available.
• Integration with VMDR: Full integration with Qualys VMDR to prioritise the closure of critical vulnerabilities based on TruRisk™.
• Versatility: Supports the installation of Microsoft and non-Microsoft updates on Windows, as well as Linux and macOS updates, all through a single platform.
• Flexible scheduling: Create and run automated jobs to update assets according to the operating system — separately for Windows, Linux, and Mac.
• Transparency and control: gain instant visibility into available updates, their installation status and asset security.

This module significantly reduces the time taken to respond to vulnerabilities, increases the security of the IT infrastructure and mitigates the risks associated with delayed system updates.

The Qualys Enterprise TruRisk Platform offers comprehensive, real-time cyber risk management, creating a centralised control centre for the bank's IT infrastructure. By continuously identifying and assessing the importance and security status of assets, the system enables you to create an up-to-date asset register and gain an overview of cyber threats. Integrated dashboards, automated audits and contextualised reporting enable effective risk communication at all levels of the organisation, from technical specialists to top management.

The platform helps banks to identify critical vulnerabilities and promptly remediate them through automated patch management, ITSM system integration, centralised policy control and compliance with over 100 international standards, including PCI DSS, ISO/IEC 27001, DORA and GDPR. This significantly enhances the bank's cyber resilience, reduces threat response time and ensures constant readiness for regulatory inspections.

Qualys and PCI DSS: automating compliance

The new PCI DSS 4.0 standard imposes stricter security requirements on payment systems. Banks are required to protect payment card data and to:

• perform authenticated internal scans and external checks through authorised service providers (ASVs);
• control access to files and privileged accounts;
• detect unauthorised configuration changes in real time;
• assess the risks of custom software and use cloud security practices;
• perform regular checks on passwords and access policies.

With the Qualys Enterprise TruRisk Platform and its components (VMDR, Policy Compliance, Patch Management and FIM), banks can:

• Automate PCI DSS 4.0 compliance for all key requirements through a single platform and agent.
• Conduct authenticated internal scans and external ASV audits that meet the requirements of section 11.3.2.1.
• Identify vulnerabilities, assess risks and prioritise remediation based on TruRisk Score (requirements 6.3.1, 6.3.3).
• Monitor changes in systems in real time through File Integrity Monitoring (requirements 10.2.1.1, 1.2.2.c).
• Ensure compliance with privileged access policies through Policy Compliance (requirements 7.2.4, 7.2.5, 8.3.6, 8.6.3).
• Evaluate cloud infrastructure and monitor the security of containerised environments through TotalCloud (requirements 1, 6).
• Prepare for audits and generate reports under all provisions of the PCI DSS 4.0 standard using built-in templates, policies, and SAQ questionnaires.

Case study: Banco PAN is a rapidly expanding Brazilian bank that has grown through acquisitions. It reduced its attack surface by leveraging the Qualys Enterprise TruRisk platform. By deploying Qualys VMDR with ServiceNow integration, the bank automated its vulnerability management processes, including detection, prioritisation, remediation and reporting. This enabled Banco PAN to reduce the number of vulnerabilities on workstations by 95% and on servers by 51%, lighten the security team's workload, and achieve 70% remediation of critical vulnerabilities within 30 days. This helps the bank to meet SLAs and significantly reduces the risk of cyberattacks.

Qualys and ISO 27001 compliance: monitoring and controlling security policies

ISO/IEC 27001:2022 is an international standard that sets out the requirements for an information security management system (ISMS), covering legal, technical and organisational controls. To maintain compliance, banks must ensure the continuous monitoring and control of processes relating to risks to information assets.

The Qualys Enterprise TruRisk platform enables you to implement the key principles of ISO/IEC 27001, as well as the related ISO standards 27017 (Cloud Security) and 27018 (Personal Data Protection in the Cloud).

• Access control - Policy Compliance (PC) enables regular checking of access policies, logging of privileged activities, and detection of unauthorised accounts.
• Asset Management - CyberSecurity Asset Management (CSAM) provides a complete accounting of all IT assets, including classification by criticality and business context.
• Change auditing - File Integrity Monitoring (FIM) detects changes to configuration files, system settings, and network devices in real time.
• Security policy monitoring - Policy Compliance and VMDR detect deviations from regulatory policies and ISO/IEC 27001, 27017 and 27018 requirements.
• Reporting and centralised auditing - Built-in templates, checklists, and SAQs make it easy to prepare for annual audits and compliance.

Banks can have additional confidence in the reliability of the Qualys platform thanks to its ISO/IEC 27001:2013, 27017:2015 and 27018:2019 certifications. These certifications help Qualys to maintain its standards and respond quickly to infrastructure changes, as well as proactively identify cyber risks.

Qualys and NBU requirements

The National Bank of Ukraine (NBU) sets clear information security requirements for the banking system, particularly in Resolutions No. 95 dated 28 September 2017 (On Approval of the Regulation on Organisation of Measures to Ensure Information Security in the Banking System of Ukraine) and No. 178 dated 12 August 2022 (On Approval of the Regulation on Organisation of Cyber Defence in the Banking System of Ukraine and Amendments to the Regulation on Identification of Critical Infrastructure Objects in the Banking System of Ukraine). These documents oblige banks to implement technological solutions that ensure:

1. Ongoing vulnerability monitoring and patch management. Banks are required to conduct regular vulnerability analyses and test and implement software updates to address any vulnerabilities identified.
2. Protection against cyber threats. Banks must implement comprehensive technical and organisational measures to detect, prevent and respond to cyber threats, to protect information systems and customer data.
3. Access granting and all security events must be logged. Banks should ensure that information on access events to their information systems, as well as all security events, is recorded, stored and protected from modification.
4. Measures should be implemented to ensure the timely detection, prevention and neutralisation of cyber threats. Measures should be implemented to protect against malicious software, including anti-virus solutions and intrusion detection systems (IDS/IPS).
5. Multi-factor authentication and responsibility for data processing. Multifactor authentication mechanisms should be applied to access critical bank systems.

How Qualys meets the NBU's requirements

Qualys is a platform that provides an automated approach to cyber defence, in line with NBU regulations:

• Continuous Vulnerability Monitoring. Under Resolution 178, banks must regularly identify technical vulnerabilities. Qualys supports the daily or weekly scanning of network assets, systems, and applications, with automatic risk prioritisation.
• Critical Threat Detection. Qualys meets the requirements of both pillars by providing the timely detection of new threats and critical vulnerabilities, along with remediation recommendations.
• Risk Management. Resolution No. 95 emphasises the formation of a bank's information security policy and the establishment of information security risk management processes. Qualys Policy Compliance (PC) and File Integrity Monitoring check systems' compliance with international standards and security policies, recording any deviations.
• Protection of network infrastructure. The NBU requires banks to implement measures to monitor and control information security, including the detection of attacks, incidents, and breaches. In this context, network perimeter protection and traffic analysis are essential.

The Qualys VMDR platform integrates with network security systems, such as IDS/IPS, firewalls and SIEMs, to provide real-time visibility into events and help build an effective security perimeter.

• Logging and auditing. Both regulations require banks to implement continuous monitoring to provide evidence for incident control and investigation purposes. Qualys maintains detailed logs of all activities, enabling you to create chronologies of events that are acceptable for NBU inspections or internal audits.
• Documented processes. Qualys implements the requirements for formalised policies and procedures through centralised governance, reporting, change control and incident response policies.

The benefits of implementing Qualys in banking:

Integrating the Qualys Enterprise TruRisk™ cloud platform into a bank's IT infrastructure offers strategic advantages in terms of both compliance and overall cyber risk management.

• Tools for automation, compliance and error reduction. Qualys' centralised control of policies and configurations minimises reliance on manual work and human error. This is particularly important when preparing for NBU, PCI DSS or ISO 27001 compliance audits.
• Prepare for audits faster. The platform supports over 900 policy and control templates, significantly reducing the time required for reporting and internal audits.
• Continuous monitoring and early detection of vulnerabilities. Using the VMDR and Asset Management modules ensures the timely detection of hidden risks that may not be identified by traditional security tools.
• Prioritise risk in the business context. The platform calculates threat levels based on the importance of IT assets, enabling you to allocate resources to the most critical areas.
• Centralised compliance monitoring. Qualys enables real-time monitoring of compliance with international standards and NBU regulatory requirements, including event logging, incident and update management, and asset inventory.
• Strengthening the bank's cyber resilience: Through regular scanning, patch management and configuration management, the platform reduces the risk of cyberattacks and improves the overall level of infrastructure protection.

Guidelines for implementing Qualys in a banking institution

To maximise the benefits of the Qualys platform, banks should take a sequential approach combining technical training, integration, and organisational change.

1. Conduct an asset inventory. Using the Asset Management module, record all IT assets (e.g. servers, devices, applications and IoT/OT systems) and classify them by importance.
2. Deploy scanning tools. Configure agents, scanners and passive monitoring to continuously detect vulnerabilities within the network's internal and external perimeters.
3. Configure compliance policies. Import ready-made templates (e.g. PCI DSS 4.0, ISO 27001, NBU) or create your policies via the Policy Compliance interface to monitor security settings.
4. Integrate with key systems. Ensure coordinated work with existing solutions (SIEM, ITSM and CMDB).
5. Assign roles and responsibilities. Appoint individuals to oversee various platform modules (VMDR, Policy Compliance and Asset Management) in line with the information security service structure.
6. Conduct staff training. Organise training sessions for IT specialists, security analysts, and auditors to ensure the effective use of the system's functionality.
7. Launch a pilot project. Begin with a test implementation in a selected department or environment, such as an area with critical assets or a high-traffic part of the network.
8. Roll out the platform across the bank. Based on the results of the pilot project, adapt the large-scale implementation to account for the specific needs of each business process and unit.

Conclusion: Why Qualys is more than just a compliance tool

With cyber threats on the rise and regulatory pressure increasing from both international and Ukrainian authorities, Qualys is a comprehensive system for managing a bank's cyber risk, not just a compliance tool. The platform provides:

• Compliance with PCI DSS, ISO/IEC 27001, GDPR and NBU regulatory requirements (Resolutions No. 95 and No. 178).
• Transparent risk management through a unified risk register and assessment of the business importance of assets.
• Automated reporting and readiness for inspections at any time.
• Critical vulnerabilities can be reduced by up to 85% with adaptive patching and integrated response.
• It enables the holistic management of IT assets, including those in the cloud, data centres, mobile devices and IoT/OT environments.

Recommendation: Before implementing the platform on a large scale, conduct a technical audit of the current IT infrastructure to identify priority risk areas and implement a pilot project based on the results. This will enable the system to be tailored to the institution's specific needs, demonstrate its effectiveness to management and ensure a smooth transition to full integration.

Still have questions about implementing the Qualys Enterprise TruRisk™ platform? Contact the Solidity specialists at marketing@solidity.com.ua.