Compliance Guide

Fence helps organizations meet security compliance requirements by providing automated vulnerability scanning and evidence collection.

Supported Compliance Frameworks

PCI DSS (Payment Card Industry Data Security Standard)

Relevant Requirements:
- Requirement 6.5: Protect applications from common vulnerabilities (OWASP Top 10)
- Requirement 6.6: Review public-facing web applications for vulnerabilities
- Requirement 11.3: Perform penetration testing and vulnerability scans

How Fence Helps:
- Automated OWASP Top 10 scanning covers Requirement 6.5
- Continuous vulnerability scanning satisfies Requirement 6.6
- Scheduled scans with exportable reports support Requirement 11.3

HIPAA (Health Insurance Portability and Accountability Act)

Relevant Requirements:
- §164.308(a)(1): Security management process
- §164.308(a)(8): Evaluation of security controls
- §164.312(e)(1): Transmission security

How Fence Helps:
- SSL/TLS scanning ensures secure data transmission
- Regular vulnerability assessments support security evaluation
- Scan reports provide audit evidence

SOC 2 Type II

Relevant Trust Service Criteria:
- CC6.1: Logical and physical access controls
- CC6.6: External threats protection
- CC7.1: Vulnerability identification and remediation

How Fence Helps:
- CVE detection identifies known vulnerabilities
- Continuous monitoring demonstrates ongoing security
- Remediation tracking shows control effectiveness

ISO 27001

Relevant Controls:
- A.12.6.1: Management of technical vulnerabilities
- A.14.2.8: System security testing
- A.18.2.3: Technical compliance review

How Fence Helps:
- Automated vulnerability scanning meets A.12.6.1
- Regular security testing supports A.14.2.8
- Compliance reports aid technical reviews

NIST 800-171

Relevant Requirements:
- 3.11.2: Scan for vulnerabilities periodically
- 3.11.3: Remediate vulnerabilities in accordance with risk
- 3.14.1: Monitor organizational systems

How Fence Helps:
- Scheduled scans (weekly/daily/hourly) meet 3.11.2
- Severity-based prioritization supports 3.11.3
- Continuous monitoring satisfies 3.14.1

Compliance Reports

Fence provides several report types for compliance purposes:

Scan Reports

• Format: PDF, JSON, CSV
• Contents: All vulnerabilities found, severity ratings, remediation guidance
• Use: Evidence for auditors, vulnerability management records

Trend Reports

• Format: Dashboard view, PDF export
• Contents: Vulnerability trends over time, remediation velocity
• Use: Demonstrate continuous improvement

Executive Summaries

• Format: PDF
• Contents: High-level security posture, risk scores
• Use: Management reviews, board presentations

Evidence Collection

Automated Evidence

Fence automatically collects and stores:
- Scan timestamps and results
- Vulnerability discovery dates
- Remediation completion dates
- Configuration change logs

Audit Trail

All actions are logged:
- Who initiated scans
- When vulnerabilities were acknowledged
- Remediation status changes
- User access to reports

Best Practices for Compliance

1. Establish Scan Schedule

• Minimum: Weekly scans for all domains
• Recommended: Daily scans for critical systems
• Enterprise: Hourly scans for high-risk applications

2. Define Response SLAs

3. Document Exceptions

For vulnerabilities that cannot be remediated:
- Document the business justification
- Implement compensating controls
- Schedule regular reviews
- Track in your risk register

4. Retain Records

Compliance frameworks typically require:
- PCI DSS: 1 year of scan records
- HIPAA: 6 years of security documentation
- SOC 2: Varies by auditor (typically 12 months)
- ISO 27001: 3 years minimum

Fence retains scan history according to your subscription tier:
- Hobby: 30 days
- Startup: 1 year
- Enterprise: Unlimited

Next Steps

• Quick Start Guide - Get scanning in 5 minutes
• Vulnerability Scanning Overview - What we scan for
• Set Up Notifications - Alert your team to new vulnerabilities