HITRUST Common Security Framework Summary of … · · 2014-07-23initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST,

Apr-14

HITRUST Common Security Framework Summary of Changes

CSF 2014 V6.1 Incorporates changes in PCI-DSS v3 and updates stemming from the HIPAA Omnibus Final Rule. Includes mappings to the NIST Cybersecurity Framework v1.

Fundamental to HITRUST’s mission is the availability of a Common Security Framework (CSF) that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA, and COBIT to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations.

HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to incorporate new standards and regulations as authoritative sources.

This interim 2014 CSF (v6.1) release includes changes based on feedback from the community and an updated set of cross-references and security requirements based on the 2013 release of the HIPAA Final Rule (Omnibus), PCI-DSS v3.0, and ISO/IEC 27001:2013 and 27002:2013, as well as the early 2014 release of the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The table below provides a summary of the changes to the CSF broken down by Control Specification and Implementation Requirement Level.

Other Updates In conjunction with this CSF update, HITRUST has taken the opportunity to also make updates to its CSF Assurance Program.

1

Green text indicates an addition to the control/requirement. Red text indicates a deletion from the control/requirement.

CSF Control

Control Level Summary of Changes* Authoritative Source Cross-

Reference(s) Remarks

0.a 1 Added: ISO cross references

ISO/IEC 27001-2013 4.4 Updated mapping for 2013 ISO release

0.a 1 Added: NIST cyber cross-reference

NIST Cybersecurity Framework ID.GV-4

ISMS addresses all information security risks, including cybersecurity


ISO/IEC 27001-2013 4.3 ISO/IEC 27001-2013 5.1(a) ISO/IEC 27001-2013 5.2 ISO/IEC 27001-2013 5.3 ISO/IEC 27001-2013 6.1.1(d) ISO/IEC 27001-2013 6.1.1(e)(1) ISO/IEC 27001-2013 6.1.1(f) ISO/IEC 27001-2013 6.1.2 ISO/IEC 27001-2013 6.1.3 ISO/IEC 27001-2013 6.2(e) ISO/IEC 27001-2013 7.1 ISO/IEC 27001-2013 7.4 ISO/IEC 27001-2013 7.5.1(a) ISO/IEC 27001-2013 7.5.2 ISO/IEC 27001-2013 7.5.3 ISO/IEC 27001-2013 8.1 ISO/IEC 27001-2013 8.2 ISO/IEC 27001-2013 8.3 ISO/IEC 27001-2013 9.1 ISO/IEC 27001-2013 9.2 ISO/IEC 27001-2013 9.3(b) ISO/IEC 27001-2013 9.3(f) ISO/IEC 27001-2013 10.1(c) ISO/IEC 27001-2013 10.2

Updated mapping for 2013 ISO release

2 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.

CSF Control




NIST Cybersecurity Framework PR.IP-7 PDCA requirement


ISO/IEC 27001-2013 4.1 ISO/IEC 27001-2013 4.2(b) ISO/IEC 27001-2013 4.4 ISO/IEC 27001-2013 5.1(c) ISO/IEC 27001-2013 5.1(d) ISO/IEC 27001-2013 5.1(e) ISO/IEC 27001-2013 5.1(f) ISO/IEC 27001-2013 5.1(g) ISO/IEC 27001-2013 5.2 ISO/IEC 27001-2013 5.3 ISO/IEC 27001-2013 6.1.1 ISO/IEC 27001-2013 6.2 ISO/IEC 27001-2013 7.1 ISO/IEC 27001-2013 7.2 ISO/IEC 27001-2013 7.3(b) ISO/IEC 27001-2013 7.3(c) ISO/IEC 27001-2013 7.4 ISO/IEC 27001-2013 8.1 ISO/IEC 27001-2013 9.1 ISO/IEC 27001-2013 9.2 ISO/IEC 27001-2013 9.3 ISO/IEC 27001-2013 10.1(b) ISO/IEC 27001-2013 10.1(c) ISO/IEC 27001-2013 10.1(d) ISO/IEC 27001-2013 10.1(e) ISO/IEC 27001-2013 10.1(g)




Consistent with relevant legislation policy language


CSF Control




ISO/IEC 27002-2013 A.9.1.1 Updated mapping for 2013 ISO release

01.b 1 Added: NIST cyber cross-reference

NIST Cybersecurity Framework DE.CM-3

Monitoring of guest/anonymous, shared/group, emergency and temporary accounts


NIST Cybersecurity Framework PR.AC-1

Registration/de-registration part of requirement to manage identities and credentials



Consistent with need-to-know, need-to-share language

01.b 1 Removed: PCI cross reference

PCI DSS v2 12.5.4

01.b addresses user registration but does not require formally assigning the responsibilities for administering accounts to an individual or team; this will be addressed by 05.c


PCI DSS v2 8.1 Requirement not addressed in 01.b but is addressed in 01.q, which is already mapped.


PCI DSS v2 8.1 Requirement is addressed by 01.p


PCI DSS v2 8.2 Language is contained in level 3 vice level 1

01.b 1 Updated: PCI cross reference

PCI DSS v2 8.5.1 PCI DSS v3 8.1.2 Control remapped in PCI DSS v3


PCI DSS v2 8.5.1 v3 8.1.2 Control remapped in PCI DSS v3


CSF Control






PCI DSS v2 8.5.4 v3 8.1.3 Control remapped in PCI DSS v3




PCI DSS v2 8.5.7 Requirement is addressed in 01.f level 1


PCI DSS v2 8.5.7 PCI DSS v3 8.4 Control remapped in PCI DSS v3

01.b 2 Added: ISO cross references

ISO/IEC 27002-2013 A.9.2.1 ISO/IEC 27002-2013 A.9.2.2 Updated mapping for 2013 ISO release

01.b 3 Added: PCI cross reference

PCI DSS v2 8.2 Language is contained in level 3 vice level 1

01.b 3

Removed: Account creation, modification, disabling, and removal actions shall be automatically logged and audited providing notification, as required, to appropriate individuals.

PCI DSS v3 10.2.5 Identical language is contained in 09.aa, Level3, which is already mapped to 10.2.5


CSF Control



01.c PCI Data

Added: A service provider shall protect each organization’s hosted environment and data by:

i. ensuring that each organization only runs processes that only have access to that organization’s cardholder data environment , and

ii. restricting each organization’s access and privileges to only its own cardholder data environment.

PCI DSS v3 A.1.1 PCI DSS v3 A.1.2

Specific language for a service provider to restrict access and privileges of users and processes to an entity’s cardholder data environment is specific to PCI

01.c 1 Added: ISO cross references


01.c 1 Added: NIST cyber cross-reference


Access permissions consistent with privilege management

01.c 1 Updated: PCI cross reference


01.c 1

Added: The allocation of privileges … Privileges shall be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (e.g. i.e. the minimum requirement for their functional role, e.g., user or administrator, only when needed). PCI cross reference

PCI DSS v3 7.1.1 New content for 7.1.1 is addressed by existing CSF 01.c content in Level 1


CSF Control



01.c 1

Added: The allocation of privileges for all systems and system components shall be controlled through a formal authorization process.

PCI DSS v3 7.2.1 Modified language to specifically address the requirement

01.c 2

Added: None Subject to PCI Compliance Level 2 Regulatory Factor

Administrative change No PCI references remain in level 3 after PCI DSS v2 8.5.16 was moved to 01.v as PCI DSS v3 8.7


NIST Cybersecurity Framework PR.DS-5

Consistent with requirement to allow authorized users to determine whether access authorizations assigned to business partners are valid

01.c 2

Removed: Administrator or operator registration and de-registration shall be in accordance with the defined process and the sensitivity and risks associated with the system (see 01.b).

NIST SP 800-53 r4 AC-2

This particular requirement is duplicative of the same requirements in 01.b, for which AC-2 is already mapped; other AC-2 requirements remain valid for this control





01.c 2

Removed: Access controls are implemented via an automated access control system. PCI cross reference

PCI DSS v2 7.1.4

Requirement content is completely new and does not map to 01.c Level 2; requirement is not supported by any other cross-reference at level 2


CSF Control



01.c 2 Added: PCI cross reference

PCI DSS v3 A.1.1 Process privileges map to 01.c

01.c 2 Added: PCI cross reference

PCI DSS v3 A.1.2 Organizational (i.e., user) access and privileges maps to 01.c

01.c 3

Removed: Subject to PCI Compliance, Level 2 Regulatory Factor

Administrative change No PCI references remain in level 3 after PCI DSS v2 8.5.16 was moved to 01.v as PCI DSS v3 8.7



Consistent with requirement to audit execution of privileged functions on information systems

01.c 3

Removed: The organization shall restrict the use of database management utilities to only authorized database administrators. Users shall be prevented from accessing database data files at the logical data view, field, or field-value levels. Column-level access controls shall be implemented to restrict database access. PCI cross reference

PCI DSS v2 8.5.16

Requirement is more closely related to 01.v, Information Access Restriction, rather than 01.c, Privilege Management; content and PCI mapping moved; content not specific to remaining mappings for this level

01.d 1

Added: x. passwords shall be prohibited from being

reused for at least four (4) generations for users or six (6) generations for privileged users; and

Administrative change

Language updated to reflect NIST/CMS/PCI requirements and consistency with 01.f for password management


CSF Control



01.d 1 Added: NIST cyber cross-reference


Password management is part of credential management

01.d 1 Removed: PCI cross reference

PCI DSS v2 8.5.10 Control remapped in PCI DSS v3


PCI DSS v2 8.5.11 Control incorporated into v3 8.2.3 with v2 8.5.10


PCI DSS v2 8.5.11 Control incorporated into v3 8.2.3 with v2 8.5.10; control requirement addressed in 01.d


PCI DSS v2 8.5.8 Requirement not addressed by language in 01.d level 1; requirement is addressed by 01.q level 1

01.d 1 Updated: PCI cross reference

PCI DSS v2.0 8.5.12 PCI DSS v3 8.2.5 Control remapped in PCI DSS v3





01.d 1

Added: Alternatively, passwords/phrases must have a strength (entropy) at least equivalent to the parameters specified above. PCI cross reference

PCI DSS v3 8.2.3

PCI DSS v2 8.5.10 updated to 8.2.3 in v3; language added to reflect additional flexibility afforded by the updated PCI control


CSF Control



01.d 2 Added: ISO cross references



PCI DSS v2 8.4 PCI DSS v3 8.2.1 Control remapped in PCI DSS v3


PCI DSS v2 8.5.9 Requirement is addressed in 01.f Level 1

01.e 1

Added: The following procedures shall be carried out to ensure the regular review of access rights by management: i. user's access rights shall be reviewed after

any changes, such as promotion, demotion, or termination of employment, or other arrangement with a workforce member ends; and

ii. user’s access rights shall be reviewed and re-allocated when moving from one employment or workforce member arrangement to another within the same organization.

HIPAA §164.308(a)(3)(ii)(C)

Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members

01.e 1 Added: NIST cyber cross-reference


Recertification supports access permission management

01.e 2 Added: ISO cross references



CSF Control



01.f 1 Added: ISO cross references


01.f 1 Added: NIST cyber cross-reference


Consistent with credential management

01.f 1 Removed: PCI cross reference

PCI DSS v2 8.5.10 Control requirement addressed in 01.d


PCI DSS v2 8.5.13 Requirement is addressed by 01.p


PCI DSS v2 8.5.14 Requirement is addressed by 01.p

01.f 1 Updated: PCI cross reference









CSF Control



01.f 1

Added: Password management policies shall be developed, documented, and adopted and communicated to all users to address the need to:

PCI DSS v3 8.4 Modified to support updated lanagueage in PCI DSS v3

01.g 1 Added: ISO cross references


01.g 1 Added: NIST cyber cross-reference


Physical access protections for unattended user equipment

01.h 1 Added: ISO cross references


01.h 1 Added: NIST cyber cross-reference

NIST Cybersecurity Framework PR.PT-2

Protections for removable media addressed by clean desk requirements

01.i 1 Added: NIST cyber cross-reference


Networks and network services are information assets to which users are authorized access

01.i 1 Added: ISO cross references





NIST Cybersecurity Framework ID.AM-4

Cataloguing is consistent with requirement for the identification of external information systems


CSF Control




NIST Cybersecurity Framework PR.IP-1

Baseline configuration requirement related to identification of necessary ports and services

01.j PCI Data

Added: The organization shall incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support and maintenance).

PCI DSS v3 8.3 PCI requirement is more stringent than existing language in 01.j level 1

01.j 1 Added: NIST cyber cross-reference


Addresses monitoring requirements for remote and wireless access



Addresses credential and authentication requirements



Directly related to management of remote user access


NIST Cybersecurity Framework PR.PT-4 Addresses access controls for networks

01.j 1 Updated: PCI cross reference



CSF Control



01.j 1

Added: Remote access to business information across public networks shall only take place after successful identification and authentication. Remote access by vendors and business partners (e.g., maintenance, reports or other data access) Vendors accounts for remote maintenance shall be disabled unless specifically authorized by the management. If remote maintenance is performed, the organization shall closely monitor and control any activities, with immediate deactivation after use. Remote access to business partner accounts shall also be immediately deactivated after use.

PCI DSS v3 12.3.9 Updated the language to reflect the addition of business partners to the remote access restriction

01.k 1 Added: NIST cyber cross-reference


Addresses identification and authentication requirements for equipment

01.l 1 Added: NIST cyber cross-reference


Addresses physical access to ports / network equipment



Specifying allowable ports and services is part of baseline / configuration management

01.m 1 Added: PCI cross reference

PCI DSS v3 1.1 Supports sub-requirement PCI DSS v3 1.1.4, which are mapped to the control

01.m 1 Removed: PCI cross reference

PCI DSS v2 1.1.3 Requirement renumbered to 1.1.4 in PCI DSS v3


CSF Control




PCI DSS v3 1.1.4 Requirement renumbered to 1.1.4 in PCI DSS v3

01.m 2 Added: ISO cross references


01.m 2

Added: A baseline of network operations and expected data flows for users and systems shall be established and managed. Separate domains shall then be implanted by controlling the network data flows … according to applicable flow control policies. NIST cyber cross-reference

NIST Cybersecurity Framework DE.AE-1

Added language from NIST framework for additional clarity.

01.m 2 Added: NIST cyber cross-reference

NIST Cybersecurity Framework ID.AM-3 Data flow requirement



Restricting access via VLANs for user groups is related to the requirement to manage access permissions


NIST Cybersecurity Framework PR.AC-5 Segregation requirement



Segmentation is one mechanism used to help prevent data leakage



Requirements apply to all network segments, including those for communications and control


CSF Control



01.n 1 Added: NIST cyber cross-reference


Deny all, permit by exception policy supports establishment of a baseline of network operations and expected data flows



Related to restriction of a user’s ability to connect to the internal network



Specified network protections help prevent data leakage



Requirement to limit number of remote connections is specifically made to support comprehensive network monitoring



Provides requirements supporting network segregation



Requirements apply to all network segments, including those for communications and control

01.o 1 Added: NIST cyber cross-reference


Requires segregation and protections between internal and external network



Specified network protections help prevent data leakage



Requires routing controls to be based on positive source and destination address checking mechanisms


CSF Control





Specifies protection of internal directory services and IP addresses, which also supports protection of communications and control networks

01.p 1 Added: NIST cyber cross-reference


Secure log on procedures support identity and credential management requirements

01.p 1 Updated: PCI cross reference




01.p 3 Added: ISO cross references


01.q PCI Data

Added: The organization shall not use group, shared, or generic IDs, passwords, or other authentication methods as follows:

i. generic user IDs are disabled or removed. ii. shared user IDs do not exist for system

administration and other critical functions.

iii. shared and generic user IDs are not used to administer any system components.

PCI DSS v3 8.5 PCI requirements are more stringent than existing language in 01.q Level 1


CSF Control



01.q PCI Data

Added: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase for each customer.)

PCI DSS v3 8.5.1 PCI requirement specific to service providers

01.q PCI Data

Added: Where other authentication mechanisms are used (e.g., physical or logical security tokens, smart cards, and certificates), use of these mechanisms shall be assigned as follows:

i. authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.

ii. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.

PCI DSS v3 8.6 PCI requirement related to unique credentials is more stringent; placed in PCI segment

01.q 1 Added: NIST cyber cross-reference


Specifically addresses user identification and authentication requirements, e.g., verifiable unique IDs

01.q 1 Updated: PCI cross reference



CSF Control



01.q 1 Removed: PCI cross reference

PCI DSS v2 8.3

No relevant language in 01.q level 1 (language in level 2 addresses communications through an external network rather than originating from outside the network); requirement is addressed by 01.j level 1



01.q 1 Added: PCI cross reference

PCI DSS v3 12.3.2

User authentication for use of information technology is explicitly addressed by 01.q, User identification and authentication


PCI DSS v3 8.1 New content in 8.1 is addressed by existing content in 01.q Level 1

01.q 1

Added: Before allowing access to system components or data, tThe organization shall require verifiable unique ID's for all types of users …

PCI DSs v3 8.1.1 Modified existing content to more accurately reflect the requirement

01.q 2 Added: ISO cross references


01.q 2 Removed: PCI cross reference

PCI DSS v2 3.2

Requirement for authentication is related to authentication of the payment card rather than the user; content in 3.2, 3.2.1, 3.2.2 and 3.2.3 is better addressed in 09.q, Information handling procedures


CSF Control



01.q 2

Added: During the registration process to provide new or replacement hardware tokens, in-person verification shall be required PCI cross reference

PCI DSS v3 8.2.2 8.2.2 is addressed by in-person registration requirement for tokens; language added for clarity


PCI DSS v3 8.5.1

New requirement related to unique credentials but specific to service providers; content placed in PCI segment


PCI DSS v3 8.6 New requirement related to unique credentials is more stringent; content placed in PCI segment

01.r 1 Added: NIST cyber cross-reference


Specifically addresses password (credential) management

01.r 1 Removed: PCI cross reference

PCI DSS v2 8.5.8 Requirement not addressed by language in 01.r level 1; requirement is addressed by 01.q level 1

01.r 2 Added: ISO cross references


01.s 1 Added: NIST cyber cross-reference


Requires user identification, authentication, and authorization for access to system utilities



Requires user identification, authentication, and authorization for access to system utilities


CSF Control





Restricting access to system utilities helps prevents misconfiguration (intentional or not), which supports data leakage prevention



Directly related to the control of access to systems and assets

01.s 2 Added: ISO cross references


01.t 1 Added: ISO cross references


01.t 1 Updated: PCI cross reference


01.u 1 Added: ISO cross references


01.v PCI Data

Added: Where there is an authorized business need to allow the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media for personnel accessing cardholder data via remote-access technologies, the organization’s usage policies shall require the data be protected in accordance with all applicable PCI DSS requirements.

PCI DSS v3 12.3.10 Requirement specific to cardholder data / PCI DSS


CSF Control



01.v PCI Data

Added: All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:

i. all user access to, user queries of, and user actions on databases are through programmatic methods.

ii. only database administrators have the ability to directly access or query databases.

Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).

PCI DSS v3 8.7 Requirements specific to cardholder data

01.v 1 Added: NIST cyber cross-reference


Directly related to information access restriction



Information access restriction directly supports DLP



Directly related to the control of access to systems and assets

01.v 2 Added: ISO cross references



CSF Control



01.v 3

Updated: For individuals accessing covered sensitive information (e.g., covered information, cardholder data) from a remote location, prohibit the copy, move, print (and print screen) and storage of cardholder data this information onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.

PCI DSS v3 12.3.10

Updated language to correct discrepancy between covered information and cardholder data and make the requirement more generic

01.v 3

Added: The organization shall restrict the use of database management utilities to only authorized database administrators. Users shall be prevented from accessing database data files at the logical data view, field, or field-value levels. Column-level access controls shall be implemented to restrict database access. PCI cross reference

PCI DSS v3 8.7

Requirement was moved from 01.c, Privilege Management, as it is most closely related to 01.v, Information Access Restriction. Language more specific to cardholder data added in the PCI segment

01.w 2 Added: NIST cyber cross-reference


Sensitive system isolation directly related to network segregation

01.x 1 Added: ISO cross references


01.x 1 Added: NIST cyber cross-reference


Encryption requirements supports protection of data at rest


CSF Control





Provides baseline configuration requirements for mobile devices

01.y 1 Added: NIST cyber cross-reference

NIST Cybersecurity Framework PR.AC-3 Remote access requirements



Encryption requirements supports protection of data in motion/transit


NIST Cybersecurity Framework PR.DS-3 Requires return of equipment



Sets baseline configuration requirements for teleworking equipment

01.y 3 Added: ISO cross references





NIST Cybersecurity Framework DE.DP-1

General language regarding security roles and responsibilities, which would include identification, protection, detection, response and recovery



Specifically addresses roles & responsibilities



Roles & responsibilities include compliance (legal, regulatory) language


CSF Control





Requires establishment of security roles and responsibilities; HR-related

02.a 1 Added: PCI cross reference

PCI DSS v3 12.4

Requirement for security policies and procedures to clearly define information security responsibilities for all personnel is addressed by 02.a, Roles & Responsibilities (prior to employment)





Trustworthy personnel help prevent data leakage



Specifically addresses screening requirements



Terms & conditions of employment address requirement to ensure workforce members understands their roles & responsibilities



Terms address legal requirements for data protection



Terms address confidentiality requirements



Terms and conditions of employment include screening requirements


CSF Control









Contains requirement to implement processes to conduct monitoring activities



General language regarding roles & responsibilities; specific language related to monitoring (detect)



Specifies management responsibility to ensure workforce members understands their roles & responsibilities


NIST Cybersecurity Framework PR.AT-1

Requires all users to be informed of their roles & responsibilities






Requires third party users (e.g., contractors) to be informed of their roles & responsibilities








CSF Control





Specifically addresses security in HR issues, such as a workforce development program

02.d 2

Added: These usage policies shall address the following if applicable: i. explicit management approval (authorization)

to use the technology; …

PCI DSS v3 12.3.1 Requirement was confounded with another statement; which was also corrected

02.d 2

Updated: These usage policies shall address the following if applicable: ii. explicit management approval (authorization)

to use the technology; iii. authorization authentication for use of the

technology; iv. acceptable uses of the technologies (see

07.c); …

PCI DSS v3 12.3.2 Requirement was confounded with another statement; which was also corrected

02.e PCI Data

Added: The organization shall ensure the importance of cardholder data security is included in a formal security awareness program for all personnel.

PCI DSS v3 12.6 Awareness requirement for cardholder data is specific to PCI


CSF Control



02.e PCI Data

Added: The organization shall periodically inspect payment card device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

PCI DSS v3 9.9.3 Requirement is PCI-specific





Education addresses legal requirements for data protection



Requires all users to be educated on their roles & responsibilities











CSF Control



02.e 2

Added: The organization’s security personnel… shall receive specialized security education and training appropriate to their role/responsibilities. Train developers in secure coding techniques, including how to avoid common coding vulnerabilities. Ensure developers understand how sensitive data is handled in memory. PCI cross reference

PCI DSS v3 6.5 New training requirement added to 6.5 in PCI DSS v3

02.e 2 Added: PCI cross reference

PCI DSS v3 9.9 Supports mapping of PCI DSS v3 9.9.3


PCI DSS v3 9.9.3

Requirement to provide training on payment card device tampering and substitution is consistent with equipment education, training and awareness in 08.e; content is PCI-specific and added to the PCI segment





Sanctioning workforce members for security violations is included in HR practices

02.g 1

Added: When an employee or other workforce member moves to a new position of trust, ...

HIPAA §164.308(a)(3)(ii)(C)



CSF Control





Access termination is included in HR practices

02.g 2

Added: The organization shall have a documented termination process for all employees and other workforce members. The organization … provides appropriate personnel with access to official records created by a terminated employee or when the arrangement of a workforce member ends. The organization shall define any valid duties after termination employment or when the arrangement of a workforce member ends and shall be included in the employee's or workforce member’s contract or other arrangement. The communication … and the terms and conditions of employment or other workforce arrangement continuing for a defined period after the end of the employee's, contractor's or third party user's employment or other workforce arrangement.

HIPAA §164.308(a)(3)(ii)(C)








Return of assets is part of termination, which is included in HR practices


CSF Control



02.i 1

Added: Upon termination … at least within 24 hours. Changes of employment or other workforce arrangement (e.g. transfers) shall be reflected in removal of all access rights that were not approved for the new employment or workforce arrangement. Access changes … that identifies them as a current member of the organization. If a departing employee, contractor, third party user or other workforce member has known passwords for accounts remaining active, these shall be changed upon termination or change of employment, contract, agreement, or other workforce arrangement. Access rights to information assets and facilities shall be reduced or removed before the employment or other workforce arrangement terminates or changes, depending on the evaluation of risk factors including: i. whether the termination or change is

initiated by the employee, contractor, third party user, other workforce member, or by management and the reason of termination;

ii. the current responsibilities of the employee, contractor, workforce member or any other user; and …

HIPAA §164.308(a)(3)(ii)(C)





CSF Control





Password (credential) changes due to termination supports credential management requirements



Access changes due to personnel transfer supports requirement to manage access permissions, including least privilege and separation of duties



Removal of logical access rights is part of the HR termination process

02.i 1 Updated: PCI cross reference

PCI DSS v2 8.5. v3 8.1.3 Control remapped in PCI DSS v3

02.i 1 Updated: PCI cross reference



NIST Cybersecurity Framework ID.BE-3

Requirement to prioritize organizational mission, objectives and activities is part of risk strategy development



Directly supports cybersecurity risk management


NIST Cybersecurity Framework ID.RM-1

Addressed by organizational strategy requirements


CSF Control



03.a 1

Added: Elements of the risk management program shall include:

1. … 2. management’s clearly stated level of

acceptable risk; 3. …

NIST cyber cross-reference

NIST Cybersecurity Framework ID.RM-2 Clarified risk tolerance requirement

03.a 1

Added: Elements of the risk management program shall include:

1. … 2. management’s clearly stated level of

acceptable risk, informed by its role in the critical infrastructure and healthcare-specific risk analysis;

3. … NIST cyber cross-reference


Added requirement to consider role and healthcare-specific risk analysis in the determination of risk tolerance


NIST Cybersecurity Framework RS-MI-3

Mitigation or acceptance of risk associated with vulnerabilities are both addressed at a program level

03.b PCI Data

Added: Formal risk assessments shall be performed at least annually and upon significant changes to the environment. The assessments shall identify critical assets, threats and vulnerabilities.

PCI DSS v3 12.2 PCI requirements exceed the requirements specified in level 2


CSF Control



03.b 1

Removed: Subject to PCI Compliance, Subject to State of Massachusetts Data Protection Act Level 1 Regulatory Factor

Administrative change PCI requirements are more consistent with the requirements in 03.b, level 2

03.b 1

Added: They may be quantitative, semi- or quasi-quantitative, or qualitative but shall be consistent and comparable

Administrative change Intended to specifically include the most common approach to risk assessment


CSF Control



03.b 1

Added: Risk assessments (analysis) used to determine whether a breach of unsecured protected health information (PHI)—as a breach is defined by the Secretary of Health and Human Services—is reportable to the Secretary must demonstrate there is a low probability of compromise (lo pro co) rather than a significant risk of harm. The methodology shall, at a minimum, address the following factors:

i. the nature of the PHI involved, including the types of identifiers involved and the likelihood of re-identification;

ii. the unauthorized person who used the PHI or to whom the disclosure was made;

iii. whether the PHI was actually acquired or viewed;

iv. the extent to which the risk to the PHI has been mitigated; and

v. any other factors/guidance promulgated by the Secretary.

HIPAA cross reference

HIPAA §164.402 Specifically addresses the new requirements for breach risk analysis under the HIPAA Omnibus Rule


ISO/IEC 27002-2013 4.4 ISO/IEC 27002-2013 A.12.6.1 ISO/IEC 27002-2013 A.17.1.1



NIST Cybersecurity Framework ID.RA-1

Asset vulnerabilities must be identified in order to address new vulnerabilities as required in the control language


CSF Control





External environment is addressed in level 2 but the initial requirement in level 1 is general enough to map this control (e.g., new attack sources)


PCI DSS v2 12.1.2

PCI risk analysis requirements are more stringent than what’s required in 03.b, level 1. Requirements are consistent with level 2, with the exception of the requirement for annual assessment as opposed to one every two years.

03.b 2

Added: Subject to PCI Compliance, Subject to FISMA Compliance, Subject to … Level 2 Regulatory Factor

Administrative change PCI requirements are more consistent with the requirements in 03.b, level 2



Potential impact of a vulnerability should it be successfully exploited is determined as part of the risk analysis



Although risk is addressed in level 1, requirement to specifically identify impact and likelihood isn’t addressed until level 2



Although risk is addressed in level 1, requirement to specifically identify impact and likelihood isn’t addressed until level 2


PCI DSS v3 12.2

PCI DSS v2 12.1.2 was remapped to 12.2. Requirements are consistent with level 2, with the exception of the requirement for annual assessment as opposed to one every two years.


CSF Control



03.c 1

Added: The organization implements … and the associated organizational information systems are prioritized and maintained; and document the remedial information … and other organizations are documented. NIST cyber cross-reference


Language specifically addresses organization-wide priorities for risk response plans but earlier language updated for clarity



Mitigation of risk associated with vulnerabilities is part the risk management process



Primary purpose of remediation is to ensure protections are improved as part of the risk management lifecycle


NIST Cybersecurity Framework RS.MI-3

Language specifically addresses risk responses and prioritization


ISO/IEC 27002-2013 A.12.6.1 ISO/IEC 27002-2013 A.12.7.1 ISO/IEC 27002-2013 A.17.1.1




Ensures risk management processes are continuously updated to reflect changes in the environment



Language specifically addresses updating of the risk management program to reflect changes in the environment (continuous improvement)



New assets must be identified to reflect changes in risk


CSF Control





General language on changes in the environment (e.g., new attack sources)



Addresses changes in the organization that affect risk



Requires the program to be updated to reflect changes in risk, which includes threats, vulnerabilities, likelihoods and impacts per 03.b and 03.c

04.a PCI Data

Added: The organization shall ensure policies are documented, communicated (known to all parties) and in use for the following:

i. managing firewalls, ii. managing vendor defaults and other

security parameters, iii. protecting stored cardholder data, iv. encrypting transmissions of cardholder

data, v. protecting systems against malware,

vi. developing and maintaining secure systems and applications,

vii. restricting access to cardholder data, viii. identification and authentication,

ix. restricting physical access to cardholder data,

x. monitoring access to network resources and cardholder data, and

xi. security monitoring and testing.

PCI DSS v3 1.5 PCI DSS v3 2.5 PCI DSS v3 3.7 PCI DSS v3 4.3 PCI DSS v3 5.4 PCI DSS v3 6.7 PCI DSS v3 7.3 PCI DSS v3 8.8 PCI DSS v3 9.10 PCI DSS v3 10.8 PCI DSS v3 11.6

Requirement to provide documented policies is addressed by 04.a, level 1; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed in support of a PCI audit or assessment


CSF Control



04.a 1

Removed: Subject to PCI Compliance, Subject to HITECH Breach Notification Requirements, Subject to … Level 1 Regulatory Factor


HITECH breach notification requirements incorporated into the HIPAA Administrative Simplification at Subpart D

04.a 1 Added: CMS cross reference

CMSRs 2012v1.5 PL-1 (HIGH) Requirement to establish an information security policy is addressed by 04.a





Specifically addresses general information security policy requirement



Addresses legislative, regulatory and other requirements in information security policy



Requires information security policy to address risk assessment and management

04.a 1 Added: NIST cross reference

NIST SP800-53 r4 PL-1 Requirement to establish an information security policy is addressed by 04.a

04.a 1 Removed: PCI cross reference

PCI DSS v2 12.1.1 Policy review requirement is addressed by 04.b


CSF Control




PCI DSS v2 18.8.2

04.a addresses general policy requirements but does not address specific policy for service providers; requirement is addressed by 05.k, Addressing Security in Third Party Agreements, for which 12.8.2 is already mapped



Requirement to provide operational procedures is addressed by 05.a, level 3; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed

04.a 1

Added: An information security policy shall be developed, published, disseminated and implemented. The information security policy document shall state management's commitment …

PCI DSS v3 12.1 Policy requirement maps to 04.a

04.b 1

Removed: An information security policy shall be developed and implemented to provide the framework for setting management objectives for all aspects of security.

Administrative change Policy requirement maps to 04.a


CSF Control



04.b 1 Removed: CMS cross reference

CMSRs 2012v1.5 SA-1 (HIGH) Requirement for annual reviews is in level 2 vs. level 1

04.b 1 Added: CMS cross reference

CMSRs 2012v1.5 SA-1 (HIGH) Requirement for annual reviews is in level 2 vs. level 1





Related to the cyber requirement for general information security policy as the CSF control addresses policy review



Requires policy updates when legislative, regulatory and other requirements change


PCI DSS v2 12.1 Requirement is focused on policy



05.a 1 Removed: HIPAA cross reference

HIPAA §164.308(a)(3)(ii)(A) Verified no relevant content remains


HIPAA §164.308(a)(3)(ii)(B) Verified no relevant content remains


HIPAA §164.308(a)(3)(ii)(C) Verified no relevant content remains


CSF Control



05.a 2

Added: i. ensure that … goals are identified and

considered, and address organizational and healthcare-specific requirements, and ..



Addresses requirement for organizations to consider their “place” in critical infrastructure



Specifically related to management requirements around information security strategy


NIST Cybersecurity Framework ID.GV-2 Consistent with control specification


NIST Cybersecurity Framework RS.CO-2

Addresses evaluation of information received from monitoring and reviewing of security incidents


PCI DSS v2 12.5.2

05.b addresses security coordination but does not require formally assigning responsibilities for monitoring, analyzing and distributing security alerts; this will be addressed by 05.c


PCI DSS v2 12.5.3

05.b addresses security coordination but does not require formally assigning responsibilities for distributing security incident response and escalation procedures; this will be addressed by 05.c




CSF Control



05.c 1

Added: Information security roles & responsibilities shall be coordinated and aligned with internal roles and external partners. NIST cyber cross-reference


Control specifically addresses allocation of responsibilities; Framework language added for clarification

05.c 1

Added: The organization shall formally assign the following specific information security responsibilities to an individual or team:

i. establishment, documentation and distribution of security policies and procedures;

ii. monitoring and analyzing security alerts and information, and distributing security alerts, information and analysis to appropriate personnel;

iii. establishment, documentation and distribution of security incident response and escalation procedures to ensure timely and effective handling of all situations;

iv. administering user accounts, including additions, deletions and modifications; and

v. monitoring and controlling all access to data.

PCI cross references

PCI DSS v3 12.5.2 PCI DSS v3 12.5.3 PCI DSS v3 12.5.4 PCI DSS v3 12.5.5

Formal assignment of specific information security responsibilities is best addressed by 05.c, Allocation of Information Security Responsibilities


CSF Control





Specifically addresses supply chain requirements for new information assets





Confidentiality agreements support DLP



Specifically addresses contact with authorities




NIST Cybersecurity Framework RS.CO-2 Requires procedures for reporting



Requires sharing consistent with response plans, which is supported by testing



Requirement specific to contact with special interest groups: “share and exchange information about … threats, or vulnerabilities”



Requirement specific to contact with special interest groups: “provide suitable liaison points when dealing with information security incidents (see 11.c)”


CSF Control









Periodic review of the information security program ensures governance and risk management processes continue to address information and cybersecurity risks



Periodic review of the information security program helps ensure the program continues to address stipulated requirements









Periodic review of the information security program ensures continuous improvement



Sharing of information re: control effectiveness with appropriate stakeholders is part of the third-party information protection program review


CSF Control



05.i 1 Updated: HIPAA cross reference

HIPAA §164.308(b)(43)

Prior content in 164.308(b)(3) was deleted in the Omnibus Rule; 164.308(b)(4) was subsequently renumbered



Expected data flows must be understood in order to support control requirements for identification of risk and minimal access (note level 2 also requires monitoring of connections)



Requires the organization to identify information provided or otherwise accessible by 3rd parties in order to evaluate the risks they represent; supports mapping requirement in 09.m

05.i 1

Added: Due diligence, including an evaluation of the information security risks posed by external parties, shall be carried out to identify any requirements for specific controls where access to sensitive information (e.g., covered information, cardholder data) by external parties is required prior to establishing a formal relationship with the service provider.

PCI DSS v3 12.8.3

Language updated to better reflect the intent of the control, 05.i, Identification of Risks Related to External Third Parties, and PCI DSS v3 12.8.3, which requires a risk analysis prior to establishing a formal relationship


NIST Cybersecurity Framework PR.AC-3 Addresses customer access



Addresses customer role and responsibilities


CSF Control



05.k PCI Data

Added: The organization shall identify and document information about which PCI DSS requirements are managed by each service provider, and which are managed by the organization.

PCI DSS v3 12.8.5

New requirement in PCI DSS v3 requiring formal delineation of responsibility for PCI controls with a third party service provider

05.k 1




05.k 1

Removed: xxi. intellectual property rights (IPRs) and

copyright assignment (see 6. b) and protection of any collaborative work (see 5.e);

xxii. involvement of the third party with subcontractors, and the security controls these subcontractors need to implement; and

xxiii. conditions for renegotiation/termination of agreements …

HIPAA §164.308(b)(1)

Omnibus Rule specified the Covered Entity is not required to obtain satisfactory assurances from a BA for its BAs/subcontractors


CSF Control



05.k 1

Added: x. arrangements for reporting, notification (e.g.,

how, when and by whom), and … stating: a. the third party... including:

a. the identification of each individual … disclosed during such breach;

b. all notifications shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach if the BA is an agent of the covered entity, otherwise the timing of the notification should be explicitly addressed in the contract if the BA is not an agent of the covered entity; and …


HIPAA §164.410(b)

Clarified differences in reporting requirements for an agent of the CE as opposed to one who is not; addressing the timing of non-agent BA breaches in the contract eliminates ambiguity and may be considered a best practice


CSF Control



05.k 1

Added: xi. arrangements for reporting … stating:

a. the third party... including: b. the identification of each individual …

disclosed during such breach; b. all notifications … if the BA is not an

agent of the covered entity; and c. evidence shall be maintained … delay;

and d. any other information that may be needed in

the notification to individuals, either at the time notice of the breach is provided or promptly thereafter as information becomes available.


HIPAA §164.410(c)(2)

Added language addressing the requirement for additional information from the BA as it is discovered/developed

05.k 1

Added: The organization shall identify and mandate information security controls to specifically address supplier access to the organization’s information and information assets. The organization shall maintain written agreements (contracts)… ISO cross reference

ISO/IEC 27002:2013 A.15.1.1 Addresses information security in supplier relationships


CSF Control



05.k 1

Added: The organization shall maintain … the security of the organization’s information environment. Agreements shall include requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain. The agreement shall ensure … the indemnity of the third party. ISO cross reference

ISO/IEC 27002:2013 A.15.1.3 Addresses information security in supplier relationships

05.k 1 Added: ISO cross references

ISO/IEC 27002-2013 A.15.1.1 ISO/IEC 27002-2013 A.15.1.2 ISO/IEC 27002-2013 A.15.1.3



NIST Cybersecurity Framework DE.CM-6 Addresses monitoring requirement



Addresses 3rd party requirements, including roles & responsibilities

05.k 1

Added: The organization shall establish personnel security requirements including security roles and responsibilities for third-party providers that are coordinated and aligned with internal security roles and responsibilities. NIST cyber cross-reference


Addresses 3rd party requirements, including roles & responsibilities; language added for clarification


CSF Control





Specifically addresses 3rd party requirements, including roles and responsibilities



Addresses HR security-related requirements such as training and awareness

05.k 1

Added: The organization shall maintain written agreements (contracts) that includes an acknowledgement that the third party (e.g., a service providers) is responsible for the security of the data the third party possesses or otherwise stores, processes or transmits on behalf of the organization, or to the extent that they could impact the security of the organization’s information environment. The agreement shall ensure that there is no misunderstanding …

PCI DSS v3 12.8.2

Although elements supporting the requirement are addressed by language in 05.k level 1, specific language was added to ensure written agreements address the full intent of the requirement

05.k 1 Added: PCI cross reference

PCI DSS v3 12.8.5

New requirement in PCI DSS v3 requiring formal delineation of responsibility for PCI controls with a third party service provider

05.k 1 Added: PCI cross reference

PCI DSS v3 12.9 Wording is identical to 12.8.2 but intended for / directed at the service provider




CSF Control





Specifically addresses compliance with legal and regulatory requirements




NIST Cybersecurity Framework DE.CM-3 Requires automated auditing

06.c PCI Data

Added: The organization shall keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:

i. Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements

ii. Processes for secure deletion of data when no longer needed

iii. Specific retention requirements for cardholder data

iv. A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.

PCI DSS v3 3.1 New content in 3.1 is PCI-specific



Specifies retention IAW all regulatory and legislative requirements


CSF Control





Addresses maintenance/retention of all records IAW all regulatory and legislative requirements



06.d PCI Data

Added: The organization shall render the PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:

• One-way hashes based on strong cryptography, (hash must be of the entire PAN)

• Truncation (hashing cannot be used to replace the truncated segment of the PAN)

• Index tokens and pads (pads must be securely stored)

• Strong cryptography with associated key management processes and procedures.

PCI DSS v3 3.4 PCI only requirement; PCI control already mapped at level 2


CSF Control



06.d PCI Data

Added: If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.

PCI DSS v3 3.4.1 PCI only requirement; PCI control already mapped at level 2





Specifies monitoring (detection) to protect covered information



Consistent with relevant legislation policy language



Specifies retention IAW all regulatory and legislative requirements


NIST Cybersecurity Framework DE.CM-3 Requires notice of monitoring



Addresses HR security practices such as acceptable use agreements and rules of behavior


CSF Control



06.e 1 Removed: PCI cross reference

PCI DSS v2 12.5.5

11.a addresses misuse of assets but does not require formally assigning responsibilities for monitoring and controlling all access to data; this will be addressed in 05.c


PCI DSS v3 12.3.1 Addresses requirement for management to approve access to information technologies





Specifically addresses relevant legislation and regulations





Addresses mechanisms for authentication to a cryptographic module





Specifies compliance reviews will be supported by system and information owners



Requires reports of non-compliance be documented and approved by management; additional requirements specified in level 2


CSF Control





Specifically addresses relevant legislation and regulations (e.g., HIPAA)



Level 1 states corrective actions for non-compliance are identified and implemented, but level 2 specifies compliance reviews are part of a formal risk assessment process

06.g 2

Removed: Results of reviews and corrective actions carried out shall be recorded and these records shall be maintained. The security organization shall maintain records of the compliance results in order to better track security trends within the organization and to address longer term areas of concern. NIST cyber cross-reference

Administrative change Removed duplicate text



Requires the use of automated compliance tools/scans when possible; specifies continuous monitoring of security controls wrt compliance





Technical compliance checks are supported by vulnerability scanning



Technical non-compliance results in a potential vulnerability


CSF Control





Similar requirements for analysis and corrective action planning as provided in 06.g



Technical compliance checks are part of a vulnerability management program



Specifically addresses mitigation of technical non-compliance issues (vulnerabilities)



Audit supports continuous monitoring: specifies audits should not impact business operations; level 2 specifies additional requirements





Audit supports continuous monitoring: specifically addresses roles & responsibilities



Audit supports continuous monitoring: specifically addresses dissemination of the audit plan



Audit supports continuous monitoring: specifies limited requirements for audit processing



Audit supports continuous monitoring: restricts use of audit tools to authorized individuals only


CSF Control



07.a PCI Data

Added: The inventory of system components and devices in scope for PCI DSS shall identify all personnel authorized to use the system components and devices.

PCI DSS v3 12.3.3

Inventory requirement is addressed in level 1 but identification of personnel with access is more stringent and not addressed anywhere else in 07.a; PCI-specific content placed in PCI segment

07.a PCI Data

Added: The organization shall maintain an inventory of system components that are in scope for PCI DSS.

PCI DSS v3 2.4 New content in 2.4 is PCI-specific

07.a PCI Data

Added: The organization shall maintain an inventory of system components that are in scope for PCI DSS. Lists of payment card devices shall be kept up-to-date and include the following:

i. Make, model of device ii. Location of device (for example, the

address of the site or facility where the device is located)

iii. Device serial number or other method of unique identification.

PCI DSS v3 9.9.1

Requirement is PCI-specific and not addressed in level 2, which is required for PCI compliance. Inventory documentation requirements are addressed in level 3 but requires much more detail than PCI requires


NIST Cybersecurity Framework ID.AM-1 Specific to asset inventories


NIST Cybersecurity Framework ID.AM-2 Specific to asset inventories



Requires asset inventories identify classification and business value


CSF Control





Addresses asset management; formal lifecycle management is specified in level 3

07.a 1

Added: The organization shall maintain an inventory of authorized wireless access points including a documented business justification, to support unauthorized WAP identification (see 09.m) and response (see 11.c). PCI cross reference

PCI DSS v3 11.1.1 New requirement supporting PCI DSS v3 6.1



07.a 2 Updated: PCI cross reference



PCI DSS v3 2.4 Previous content in 2.4 was moved to 2.6 in PCI DSS v3; new content maps to CSF control 07.a but is PCI-specific

07.a 2

Added: The organization shall maintain inventory logs of all media and conduct media inventories at least annually.

PCI DSS v3 9.7.1 Requirement was mapped to 09.a level 2 as PCI DSS v2 9.9.1 but not specifically addressed; language added




CSF Control




PCI DSS v3 9.9.1

Requirement to maintain an inventory of payment card devices is consistent with asset inventory requirements in 07.a; content is PCI-specific and added to the PCI segment

07.b 1

Added: All information systems shall be documented including an a method to accurately and readily determine the assigned owner of responsibility, contact information, and purpose (e.g., through labeling, coding, and/or inventory).

PCI DSS v3 12.3.4 Updated the language to accurately reflect the PCI requirement





Requires owners to specify asset classification and business value



Specifies responsibilities of asset owners



Addresses asset management responsibilities of asset owners

07.c 1

Removed: The organization shall include in the rules of behavior, explicit restrictions on the use of social media and networking sites, posting information on commercial websites, and sharing information system account information.

Administrative change Duplicate text in control level; artifact


CSF Control







Acceptable use supports data leakage prevention

07.c 1 Removed: PCI cross reference

PCI DSS v2 12.3.1

Explicit approval is not addressed by 07.c, level 1; requirement is addressed by 02.d, level 2, which is already mapped to 12.3.1



Provides classification guidelines for information assets



Classification guidelines support data leakage prevention





Classification requires understanding of business value and impact due to a loss of the asset


NIST Cybersecurity Framework ID.RA-5 Specifically addresses risk



Labeling and handling requirements support data leakage prevention



Addresses labeling and handling requirements for removable media


CSF Control





07.e 2 Updated: PCI cross reference




Provides the use of alarms as an example of physical perimeter protection



Provides the use of alarms as an example, which is meant to identify unauthorized intrusion



Specifically addresses physical (perimeter) access protection



Specifies compliance with regulatory requirements for fire doors



08.b PCI Data

Added: The organization shall ensure visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.

PCI DSS v3 9.4.1 PCI requirement is more restrictive than existing language

08.b PCI Data

Added: Visitor logs shall include the name of the onsite personnel (workforce member) authorizing physical access.

PCI DSS v3 9.4.4 PCI DSS v3 9.4.4 is more restrictive as it requires the authorizing individual to be onsite.


CSF Control





Requires visitor escort (monitoring) and monitoring of third party service personnel



Requires ability to clearly distinguish between workforce members and visitors, which supports identification (monitoring) of unauthorized personnel; physical intruder detection system requirements are specified in level 3



Specifically addresses physical entry controls




PCI DSS v3 9.4 Supports PCI DSS v3 9.4.1 in level 1; moved from level 2

08.b 1

Added All visitors shall be escorted and supervised (their activities monitored) unless their access has been previously approved. Access to areas where sensitive information (e.g., covered information, payment card data) is processed or stored shall be controlled and restricted to authorized persons only. All visitors shall be escorted and supervised (their activities monitored) unless their access has been previously approved.

PCI DSS v3 9.4.1 Re-ordered and additional language added for clarity. More restrictive PCI DSS requirement placed in PCI segment


CSF Control







Requires notification of security personnel in the event an unauthorized person is identified by a member of the workforce


PCI DSS v2 9.3 PCI reference (v2 9.3 / v3 9.4) moved to support PCI DSS v3 9.4.1 in level 1








CSF Control



08.b 2

Added: Authentication controls … shall be securely maintained. The organization shall ensure onsite personnel and visitors can be easily distinguished. All employees, contractors and third party users and all visitors shall be required … to surrender the badge or device before leaving the facility or upon expiration. The organization shall ensure onsite personnel and visitor identification (e.g., badges) are revoked or terminated when expired or when access is no longer authorized. Identification should also be updated when access requirements change to ensure their status can be easily distinguished.

PCI DSS v3 9.2 Language updated to reflect additional requirements specified in PCI DSS v3


CSF Control



08.b 2

Added: Authentication controls (e.g. access control card plus PIN) shall be used to authorize and validate all access. Access must be authorized and based on individual job function. An audit trail of all access shall be securely maintained. The organization shall ensure onsite personnel and visitors can be easily distinguished. All employees, contractors and third party users and all visitors shall be required … when expired or when access is no longer authorized, and all physical access mechanisms, such as keys, access cards and combinations, are returned disabled or changed. Identification should also be updated when access requirements change to ensure their status can be easily distinguished. PCI cross reference

PCI DSS v3 9.3 Content for 9.3 is new for PCI DSS v3; content consistent with 08.b

08.b 3

Removed: Combinations and keys shall be changed … and when keys are lost, combinations are compromised, or individuals are transferred or terminated.

Administrative change Requirement addressed in level 2 with the addition of language supporting PCI DSS v3 9.3



Requires IDS installed IAW applicable standards


NIST Cybersecurity Framework DE.DP-3 Requires testing of IDS


CSF Control



08.b 3

Added: The organization shall monitor and investigate notifications from real-time physical intrusion alarms and surveillance equipment. NIST cyber cross-reference

NIST Cybersecurity Framework RS.AN-1

Requires monitoring of real-time physical intrusion alarms and surveillance equipment; clarification on response added.



Requires consideration of relevant health and safety regulations when security facilities




NIST Cybersecurity Framework DE.CM-2 Specifies video monitoring



Specifies monitoring of individual access to sensitive areas



Specifies use of automated mechanisms to recognize potential intrusions



Addresses securing of facilities for asset protection





Addresses requirements for the physical operating environment


CSF Control







Addresses requirements for locking and checking vacant secure areas



Addresses requirements for locking and checking vacant secure areas



Requires coordination with incident response team



Addresses management of assets in public access areas, such as delivery and loading



08.g PCI Data

Added: The organization shall periodically inspect payment card device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).

PCI DSS v3 9.9.2 Requirement is PCI-specific



Addresses policy requirements for equipment protection


CSF Control



08.g 1 Added: PCI cross reference



PCI DSS v3 9.9.2

Requirement to protect devices from tampering and substitution is consistent with equipment siting and protection in 08.g; content is PCI-specific and added to the PCI segment





Dependency of critical systems on utilities (power, water) is addressed



Addresses policy requirements for equipment protection



Addresses physical access requirements for infrastructure assets



08.i 2

Added: The organization controls physical access to information system distribution and transmission lines within organizational facilities by disables disabling any physical ports (e.g., wiring closets, patch panels, etc.) not in use.

CMSRs 2012v1.5 PE-4

Provided clarification of the requirement to avoid confusion with standard network ports, which will be addressed by additional language from PCI DSS v3 9.1.1


CSF Control







Addresses physical access requirements for distribution and transmission lines

08.i 2

Added: The organization shall implement physical and/or logical controls to restrict access to publicly accessible network jacks.

PCI DSS v3 9.1.1

Original language specific to CMS IS ARS 2012v1.5 PE-4 did not address the requirement specified in PCI DSS v3 9.1.1



Requires technical sweeps and physical inspections for unauthorized devices


NIST Cybersecurity Framework PR.MA-1

Specifically addresses security of maintenance activities


NIST Cybersecurity Framework PR.MA-2

Addresses remote maintenance requirements

08.j 2 Added: ISO cross references




Specifically addresses clearing of data prior to maintenance activities

08.k 1

Removed: Subject to PCI Compliance, Subject to FISMA Compliance Level 1 Regulatory Factor

Administrative change No remaining PCI cross references once PCI DSS v2 9.8 (PCI DSS v3 9.6.3) is removed


CSF Control







Requires management of equipment taken outside the organization’s premises

08.k 1 Removed: PCI cross reference

PCI DSS v2 9.8

This control is specific to removing media from secured areas; no relevant content in 08.k level 1; specific language is addressed by 09.q level 2

08.l 1 Added: ISO cross references




Addresses security requirements for asset reuse or disposal


NIST Cybersecurity Framework PR.IP-6 Addresses secure disposal

08.l 1 Updated: PCI cross reference








Addresses management of property taken off-site


CSF Control



09.a PCI Data

Added: The organization shall ensure operational procedures are documented, communicated (known to all parties) and in use for the following:

i. managing firewalls, ii. managing vendor defaults and other

security parameters, iii. protecting stored cardholder data, iv. encrypting transmissions of cardholder

data, v. protecting systems against malware,

vi. developing and maintaining secure systems and applications,

vii. restricting access to cardholder data, viii. identification and authentication,

ix. restricting physical access to cardholder data,

x. monitoring access to network resources and cardholder data, and

xi. security monitoring and testing.


Requirement to provide operational procedures is addressed by 05.a but documented operations procedures are specifically addressed by 09.a; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed in support of a PCI audit or assessment




CSF Control





Requirement to provide operational procedures is addressed by 05.a but documented operations procedures are specifically addressed by 09.a; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed

09.aa PCI Data

Added: A service provider shall protect each organization’s hosted environment and data by ensuring logging and audit trails are enabled and unique to each organization’s (customer’s) cardholder data environment and consistent with PCI DSS v3 Requirement 10.

PCI DSS v3 A.1.3

Specific language addressing logs and audit trails unique to each organization’s cardholder data environment

09.aa 1 Added: NIST cyber cross-reference

NIST Cybersecurity Framework DE.CM-1 Specifically addresses auditing


NIST Cybersecurity Framework DE.CM-3 Specifically addresses auditing


NIST Cybersecurity Framework PR.PT-1 Specifically addresses auditing

09.aa 2 Added: ISO cross references



CSF Control





Addresses alarms from access control systems, AV, IDS, etc.

09.aa 2 Removed: PCI cross reference

PCI DSS v2 10.2.3 Requirement is addressed by 09.d


PCI DSS v3 10.2.5 Specific requirements in PCI DSS v3 10.2.5 is addressed in level 3 rather than level 2


PCI DSS v2 10.2.7 Requirement is addressed in level 2; PCI control already mapped at level 2; duplicate mapping

09.aa 3 Added: PCI cross reference

PCI DSS v3 10.2.5 Specific requirements in PCI DSS v3 10.2.5 is addressed in level 3 rather than level 2

09.aa 3

Added: The following shall be logged:

i. … ii. the enabling, pausing or disabling of audit

report generation services; and

PCI DSS v3 10.2.6 Updated language to reflect PCI DSS v3

09.ab PCI Data

Added: The organization shall review, at least daily, the logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

PCI DSS v3 10.6.1 Requirement specific to PCI DSS v3

09.ab 1 Added: NIST cyber cross-reference


Requires compliance with applicable legal requirements


CSF Control





Specifically addresses legal and regulatory requirements for monitoring

09.ab 2 Added: ISO cross references




Auditing supports identification and remediation of vulnerabilities



Addresses detecting attacks and analyzing logs and audit trails



Addresses collection and integration of data from multiple sources; correlation is specifically addressed in level 3


NIST Cybersecurity Framework DE.CM-1 Specifically addresses monitoring



Address audit record documentation and review

09.ab 3

Removed: Systems shall support audit reduction and report generation, and the results of monitoring activities shall be reviewed regularly.


Language is duplicative of other content in 09.ab, level 2; possible artifact from when additional language was added to the statement


NIST Cybersecurity Framework DE.CM-4 Monitors for malicious code



Addresses monitoring of remote connections


CSF Control





Requires alert notifications from automated tools; requires alerting of personnel to unauthorized modification of critical system files, etc.



Requires appropriate actions be taken, e.g., when an unauthorized connection is discovered


NIST Cybersecurity Framework RS.CO-2 Addresses reporting

09.ab 3

Added: The results of monitoring activities shall be reviewed daily, through the use of automated tools, forthose:

i. all security events, ii. logs of all critical system components,

and iii. logs of all servers that perform security

functions like intrusion detection system (IDS), intrusion prevention …

PCI DSS v3 10.6.1 Updated language to reflect additional requirements in PCI DSS v3 10.6.1


CSF Control



09.ab 3

Added: The automated tools shall generate alert notification for technical staff review and assessment. The organization shall review logs of all other system components periodically based on its policies and risk management strategy, as determined by the organization’s annual risk assessment.

PCI DSS v3 10.6.2 New requirement in PCI DSS v3

09.ab 3

Added: Suspicious activity or suspected violations on the information system identified during the review process shall be investigated, with findings reported to appropriate officials and take appropriate action. PCI cross reference

PCI DSS v3 10.6.3 Existing language modified to better reflect requirement in PCI DSS v3 10.6.3

09.ab 3

Added: The organization shall deploy a change-detection mechanism (e.g., file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

PCI DSS v3 11.5 Updated language to reflect changes in PCI DSS v3


CSF Control



09.ab 3

Added: The organization shall deploy a change-detection mechanism … or content files; and configures the software to perform critical file comparisons at least weekly, and responds to any alerts generated.

PCI DSS v3 11.5.1 Updated relevant language to reflect new requirement in PCI DSS v3

09.ac 1 Added: ISO cross references


09.ac 1 Added: NIST cyber cross-reference


Protection is part of audit log implementation

09.ac 3

Added: Write logs for external-facing technologies (wireless, firewalls, DNS, mail) onto a secure, centralized log server or media device on the internal LAN.

PCI DSS v3 10.5.4 Updated language to reflect clarification provided in PCI DSS v3 10.5.4

09.ac 3

Added: The organization shall … alerts (although new data being added should not cause an alert), and responds to any alerts generated.

PCI DSS v3 11.5.1 Updated relevant language to reflect new requirement in PCI DSS v3

09.ad 1 Added: ISO cross references


09.ad 1 Added: NIST cyber cross-reference


Addresses administrator and operator logs


CSF Control



09.ad 1 Removed: PCI cross reference

PCI DSS v2 A.1.3

09.ad only peripherally addresses the PCI DSS v3 A.1.3 requirement; specific language addressing logs and audit trails unique to each organization’s cardholder data environment will be addressed in the PCI segment for 09.aa, Audit Logging

09.ae 1 Added: ISO cross references


09.ae 1 Added: NIST cyber cross-reference

NIST Cybersecurity Framework PR.PT-1 Addresses fault logging

09.af 1 Added: ISO cross references


09.af 1 Added: NIST cyber cross-reference


Clock synchronization is part of audit log implementation

09.af 1

Added: The organization shall synchronize all critical system clocks and times where Where a computer or communications device has the capability to operate a real-time clock,. This this clock shall be set …

PCI DSS v3 10.4 Language updated to better reflect the PCI DSS v3 requirement


CSF Control



09.af 1

Added: … This clock shall be set to an agreed standard received from industry-accepted time sources, either Coordinated Universal Time (UTC) or International Atomic Time. As some clocks are known to drift with time, there shall be a procedure that checks for and corrects any significant variation.

PCI DSS v3 10.4.3 Language from the PCI DSS v3 requirement added for clarification


ISO/IEC 27001-2013 8.1 ISO/IEC 27002-2013 A.12.1.2 Updated mapping for 2013 ISO release


NIST Cybersecurity Framework PR.IP-3 Addresses change control processes



Specifically addresses segregation of duties



Segregation can be applied to support data leakage prevention







Specifically addresses separation of development, test and production environments; level 1 addresses minimization of testing but level 2 addresses actual separation


CSF Control



09.d 2

Added: The level of separation between operational, test, and development environments shall be identified and controls shall be implemented to prevent operational issues, including:

i. along with removing accounts, a review of all custom code preceding the release to production or to customers must be completed in order to identify any possible coding vulnerability, to include at least the following:

a. code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices;

b. code reviews ensure code is developed according to secure coding guidelines;

c. appropriate corrections are implemented prior to release; and

d. code-review results are reviewed and approved by management prior to release.

PCI DSS v3 6.3.2 Added new language in PCI DSS v3

09.e 1 Updated: HIPAA cross reference

HIPAA §164.308(b)(43)



CSF Control




ISO/IEC 27001-2013 8.1 Updated mapping for 2013 ISO release


NIST Cybersecurity Framework DE.CM-6 Addresses monitoring of service levels



Requires cataloguing of current service providers



Requires the service provider to protect the organization’s data and ensure service continuity levels are met

09.e 2 Removed: PCI cross reference

PCI DSS v2 12.8.3

Monitoring service delivery is a due care issue; the intent of PCI DSS v3 12.8.3 is to exercise an appropriate level of due diligence prior to establishing a relationship

09.f 1 Updated: HIPAA cross reference

HIPAA §164.308(b)(43)






Specifically addresses security incidents as part of third-party monitoring



Specifies monitoring shall involve a service management relationship and process between the organization and the third party


CSF Control





Level 1 requires change management procedures for third party services and level 2 identifies specific requirements for change management



Level 1 requires change management procedures for third party services and level 2 identifies specific requirements for change management







Specifically addresses capacity requirements



Addresses capacity requirements for audit logs (implementation)



09.j 1

Removed: Subject to PCI Compliance, Level 1 Regulatory Factors

N/A Moved from level 1 to accommodate addition of PCI requirements in level 2



Specifically addresses malicious code detection


CSF Control





09.j 2

Added: Subject to PCI Compliance, Subject to FISMA … Level 1 Regulatory Factors

N/A Moved from level 1 to accommodate addition of PCI requirements in level 2

09.j 2

Added: For systems considered to be not commonly affected by malicious software, the organization shall perform periodic assessments to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. PCI cross reference

PCI DSS v3 5.1.2

Although considered a new best practice, the requirement was added to level 2 due the analysis requirement; language supporting the new PCI DSS v3 5.3. which also provides a more stringent requirement, was already contained in level 2

09.j 2

Added: Malicious code protection mechanisms shall be centrally managed. Non-privileged users are prevented from circumventing malicious code protection capabilities, unless specifically authorized by management on a case-by-case basis for a limited time period. PCI cross reference

PCI DSS v3 5.3 Existing language modified to reflect new v3 requirement


NIST Cybersecurity Framework DE.CM-5 Specifically addresses mobile code


CSF Control






NIST Cybersecurity Framework PR.IP-4 Specifically addresses back-up





09.m PCI Data

Added: The organization shall ensure network diagrams identify all cardholder data connections.

PCI DSS v3 1.1.2 Provides specific guidance for PCI cardholder data

09.m PCI Data

Added: The organization shall ensure network diagrams identify all cardholder data connections and cardholder data flows.

PCI DSS v3 1.1.3 New requirement in PCI DSS v3

09.m PCI Data

Added: Using intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network, monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

PCI DSS v3 11.4

Requirement specific to a robust implementation of IDS/IPS in and around the cardholder data environment


CSF Control





Specifically addresses network diagrams that indicate data flows



Addresses monitoring of all authorized and unauthorized wireless access



Specifically addresses network diagrams that indicate data flows



Specified network protections support data leakage prevention


PCI DSS v3 1.1

Supports sub-requirements PCI DSS v3 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6 and 1.1.7, which are mapped to the control


PCI DSS v3 1.1.5 Added to reflect renumbering from 1.1.3 to 1.1.4 in PCI DSS v3

09.m 1

Added: Misconfigured wireless networks and vulnerabilities in … covered information environments. The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation … PCI cross reference

PCI DSS v3 11.1 Requirement modified in PCI DSS v3; previous mapping at 09.m level 2 was moved to level 1


CSF Control



09.m 1

Deleted: v. firmware on wireless devices to support

strong encryption for authentication and transmission over wireless networks

vi.v other security-related …

PCI DSS v3 2.1.1

The requirement was removed from PCI DSS v3 and incorporated into the test procedures for the control (2.1.1d). Previous language inconsistent with the rest of the list for “change the following”; requirements for strong encryption for authentication and transmission over wireless networks is addressed by other language



Requires identification and authentication of network devices



Specifically addresses the use of firewalls to segment and protect the internal network



Requires protection of information in transit


PCI DSS v2 11.1 Language is addressed in level 1; cross reference moved


PCI DSS v2 4.1

Requirement for encryption of data over public networks is not contained in 09.m; maps to content contained in 10.s


PCI DSS v3 11.4 New requirement related to intrusion detection addressed by 09.m




CSF Control




PCI DSS v3 1.1.5 Removed due to renumbering of requirements in PCI DSS v3


PCI DSS v3 1.1.7 Added to reflect renumbering in PCI DSS v3 due to the addition of a new requirement at 1.1.3

09.n 1 Updated: HIPAA cross reference

HIPAA §164.308(b)(43)


09.n 1 Added: ISO cross references




Specifies certain responsibilities, e.g., the right to audit; additional requirements outlined in level 2



Specifically address the information communicated for each connection, which is required to support documentation of data flows



Provides for organizational monitoring of external service providers



Provides for organizational monitoring of external service providers



Requires identification of information communicated when authorizing system connections


CSF Control



09.n 2

Added: The organization shall: ii. centrally document for each connection, the

interface characteristics, security requirements, and the nature of the information communicated.



Requires authorization of connections to all external systems; clarification added



Specifies providing services IAW applicable laws & regulations



Specifies requirements for third parties, including contract provisions



Addresses security requirements for each connection, which would include communications and control networks


NIST Cybersecurity Framework PR.PT-2 Specifically addresses removable media

09.o 2 Added: ISO cross references




Requires formal management of assets awaiting and during disposal



Secure destruction supports data leakage prevention


CSF Control




NIST Cybersecurity Framework PR.IP-6 Specifically addresses destruction


PCI DSS v2 9.10 PCI DSS v3 9.8 Control remapped in PCI DSS v3

09.p 1

Added: The organization shall destroy media when it is no longer needed for business or legal reasons. Formal procedures for the secure disposal …

PCI DSS v3 9.8 Requirement was mapped to 09.p level 1 as PCI DSS v2 9.10 but not specifically addressed; language added

09.p 2 Added: ISO cross references


09.q PCI Data

Added: The system shall not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, the system shall render all data unrecoverable upon completion of the authorization process.

PCI DSS v3 3.2 PCI only requirement

09.q PCI Data

Added: The system shall not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data.

PCI DSS v3 3.2.1 PCI only requirement


CSF Control



09.q PCI Data

Added: The system shall not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-no-present transactions.


09.q PCI Data

Added: The system shall not store the personal identification number (PIN) or the encrypted PIN block.


09.q PCI Data

Added: The system shall mask the PAN when displaced (the first six and last our digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. (Note this requirement does not supersede stricter requirements in place for displays of cardholder data—for example, legal or payment card brand requirements for point-of-sale (POS) receipts.)




Requires procedures for handling, processing, communication and storage of information, including media awaiting disposal



Requires procedures for handling, processing, communication and storage of information, including media awaiting disposal


CSF Control



09.q 2 Added: ISO cross references











PCI DSS v3 3.2 Requirements related to handling and storage of sensitive payment card authentication data


PCI DSS v3 3.2.1 Requirements related to handling and storage of sensitive payment card authentication data








CSF Control



09.q 2

Added: The organization shall maintain strict control over the storage and accessibility of media. Management shall approve any and all media …

PCI DSS v3 9.7 Requirement was mapped to 09.q level 2 as PCI DSS v2 9.9 but not addressed; language added

09.r 1 Added: NIST cyber cross-reference


Protection of system documentation necessary to avoid disclosure of possible vulnerabilities

09.s 1 Added: ISO cross references


09.s 1

Added: The organization shall ensure that communications protection requirements … and compliance audits (see 06.g) consistent with relevant legislation. NIST cyber cross-reference


Consistent with relevant legislation policy language in the control objective, which was not explicitly addressed



Addresses requirements for remote access sessions


CSF Control



09.s 1

Added: Formal procedures shall be defined to encrypt data in transit including use of strong cryptography protocols to safeguard covered information during transmission over open public networks.

• Only trusted keys and certificates shall be accepted

• The protocol in use shall only support secure versions or configurations

• The encryption strength shall be appropriate to the encryption methodology in use

PCI cross reference

PCI DSS v3 4.1 Requirement is addressed in level 1 vice level 2; language updated to reflect changes in PCI DSS v3

09.s 2 Removed: PCI cross reference

PCI DSS v2 4.1 Requirement is addressed in level 1 vice level 2

09.t 1 Added: ISO cross references


09.t 1 Added: NIST cyber cross-reference


Exchange agreements identify specific responsibilities for third-parties

09.u 1 Added: ISO cross references


09.u 1 Added: NIST cyber cross-reference

NIST Cybersecurity Framework PR.DS-2 Addresses data (media) in transit


CSF Control



09.u 1 Added: NIST cyber cross-reference

NIST Cybersecurity Framework PR.PT-2 Addresses transit of all media

09.u 1 Updated: PCI cross reference


09.v 1 Added: ISO cross references




Addresses legal considerations, e.g., re: electronic signatures


NIST Cybersecurity Framework PR.DS-2 Addresses electronic messaging



Security of electronic messaging supports data leakage prevention

09.v 1

Updated: The organization shall never send unencrypted covered sensitive information (e.g., covered information, PANs) by end-user messaging technologies (e.g. e-mail, instant messaging, and chat). PCI cross reference

PCI DSS v3 4.2 Requirement for covered information already addressed

09.w 1 Updated: HIPAA cross reference

HIPAA §164.308(b)(43)



CSF Control





Addresses baselines for basic security hygiene in interconnected systems



Addresses segregation of untrusted and trusted networks



Specifies baselines for basic security hygiene in interconnected systems



Addressed legal requirements for the use of cryptographic controls



Specifies data in transit protections for electronic commerce, e.g., the use of cryptographic controls to enhance security



Specifies data at rest protections for electronic commerce, e.g., the loss or duplication of order information



Multiple requirements support data leakage prevention

09.x 2 Added: ISO cross references




Specifies data in transit protections for online transactions, e.g., the use of cryptographic controls



Specifies security shall be maintained through all aspects of the transaction


CSF Control





Multiple requirements support data leakage prevention

09.y 2 Added: ISO cross references


09.z 1 Added: NIST cyber cross-reference


Specifies only authorized individuals may post information onto publically accessible information systems



Requires protections for the integrity of the information stored, processed and transmitted

09.z 2 Added: ISO cross references




Requires vulnerability testing of publically accessible systems



Requires information to be obtained in compliance with any relevant legislation



Requires testing to ensure security baselines and configurations are met

09.z 3 Added: ISO cross references




Security requirements analysis and specification is initial part of SDLC process


CSF Control




ISO/IEC 27001:2013 A.6.1.5 ISO/IEC 27002:2013 A.14.1.1 ISO/IEC 27002:2013 A.14.2.1 ISO/IEC 27002:2013 A.14.2.5 ISO/IEC 27002:2013 A.14.2.6 ISO/IEC 27002:2013 A.14.2.8 ISO/IEC 27002:2013 A.17.2.1


10.a 2

Added: … the project management methodology. Organizations shall establish and appropriately protect secure development environment for system development and integration efforts that cover the entire system development lifecycle. ISO cross reference

ISO/IEC 27002:2013 A.14.2.6 Addresses information security in system development and acquisition

10.a 2

Added: … and evolution of requirements. Organizations developing software or systems shall perform thorough testing and verification during the development process. Independent acceptance testing should then be undertaken (both for in-house and for outsourced developments) to ensure the system works as expected and only as expected. The extent of testing should be in proportion to the importance and nature of the system. ISO cross reference



CSF Control



10.a 2

Added: The organization shall apply information system security engineering principles in the specification, design, development, implementation, and modification of security requirements and controls in developed and acquired information systems. Organizations shall include business requirements for the availability of information systems when specifying security requirements. Where availability cannot be guaranteed using existing architectures, redundant components or architectures should be considered along with the risks associated with implementing such redundancies. Specifications for the security control requirements … ISO cross reference

ISO/IEC 27002:2013 A.17.2.1 Incorporated new requirement to address system availability in the security engineering / SDLC process

10.a 2

Added: Information security shall be addressed in all phases of the project management methodology. ISO cross reference




Data input validation helps prevent certain exploits that could result in data leakage


CSF Control




NIST Cybersecurity Framework PR.DS-6 Specific to data input integrity

10.b 2

Added: i. improper error handling (Do not leak

information via error messages) ii. broken authentication/sessions (Prevent

unauthorized individuals from compromising legitimate account credentials, keys or session tokens that would otherwise enable an intruder to assume the identity of an authorized user)

PCI DSS v3 6.5.10 Added new validation requirement in PCI DSS v3

10.b 2

Added: For web applications and application interfaces (internal or external) this also includes but is not limited to:

i. cross-site scripting (XSS) (Validate all parameters before inclusion, utilize context-sensitive escaping, etc.)

ii. improper Access Control, such as insecure direct object references, failure to restrict URL access, and directory traversal, and failure to restrict user access functions

PCI DSS v3 6.5.8 Added new language in PCI DSS v3


CSF Control



10.b 2

Added: For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: i. reviewing applications via manual or

automated application vulnerability security assessment tools or methods, at least annually and after any changes;

ii. installing an automated technical solution that detects and prevents Web-based attacks (e.g., a Web-application firewall) in front of public-facing Web applications, to continually check all traffic.

PCI DSS v3 6.6

Existing language was not specific to public-facing Web applications nor did it address the requirement for a technical solution; language added to reflect actual requirements


NIST Cybersecurity Framework PR.DS-6 Specific to integrity of processing


NIST Cybersecurity Framework PR.DS-2 Specifically addresses data in transit



Controls prevent data leakage during messaging



Addresses integrity of data during messaging


CSF Control





Cryptographic control requirements support protection of data at rest



Cryptographic control requirements support protection of data in transit





Address legal and regulatory requirements for cryptography

10.g PCI Data

Added: Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:

i. Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data- encrypting key.

ii. Within a secure cryptographic device (such as a host security module (HSM) or PTS-approved point-of-interaction device).

iii. As at least two full-length key components or key shares, in accordance with an industry- accepted method.

PCI DSS v3 3.5.2 New content in 3.5.2 is PCI-specific



Cryptographic control requirements support protection of data at rest


CSF Control





Cryptographic control requirements support protection of data in transit




PCI DSS v3 3.4 General requirement to protect cryptographic keys addressed by 10.g

10.g 2

Added: v. storing keys in the fewest possible locations, including how authorized users obtain access to keys; PCI cross reference

PCI DSS v3 3.5.3 General requirement for storing cryptographic keys addressed in 10.g

10.g 2

Added: A key management system shall be based on a formal set of standards, procedures, and secure methods for: i. verifying identity prior to generating new

keys or certificates for users; ii. …

PCI DSS v3 8.2.2

Added new language in 8.2.2 that expands verification of user identity beyond passwords to other types of authenticators





Requires maintenance of current information system baselines


CSF Control





Requires maintenance of operational software IAW configuration baselines



Requires testing of operational software on separate (non-production) systems



States the access control procedures, which apply to operational application systems, shall also apply to test application systems
















CSF Control





States security controls shall be equally applied to non-production environments as production environments



States security controls shall be equally applied to non-production environments as production environments



Specifies audit trail for use of operational information



States personnel developing & testing system code from having access to production libraries (least privilege)



Safeguards against the introduction of unauthorized functionality supports data leakage prevention



States access to program source code shall be restricted







Requires change control; specific requirements contained in level 2




CSF Control




NIST Cybersecurity Framework ID.AM-6 Addresses roles and responsibilities



Specifies identification of potential impacts


NIST Cybersecurity Framework ID.RA-5 Requires risk assessment



Specifies requirements in third party agreements / contracts



States procedures must be incorporated into the SDLC process



Restricts access based on least privilege / minimum necessary



Requires monitoring of configuration settings



Requires auditing of automated access restriction enforcement actions



Specifically requires current configuration baselines for information systems


NIST Cybersecurity Framework PR.IP-1 Requires current baseline


CSF Control






NIST Cybersecurity Framework DE.CM-4 Requires testing for malicious code



Role in the supply chain is communicated through contractual requirements



Protection against supply chain threats requires identification of those threat



Protection against supply chain threats requires identification of risk response



Addresses contract requirements for outsourced software development



Requires supervision and monitoring of outsourced software development



Addresses security in the SDLC for outsourced software development up to implementation

10.m PCI Data

Added: Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.

PCI DSS v3 11.2.1 Added content to PCI segment due to additional criteria for rescans and qualified personnel


CSF Control



10.m PCI Data

Added: Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.


10.m PCI Data

Added: Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.



CSF Control



10.m PCI Data

Added: Implement a methodology for penetration testing that:

i. is based on industry-accepted penetration testing approaches (e.g., NIST SP 800-115),

ii. includes coverage for the entire card data environment (CDE) perimeter and critical systems,

iii. includes testing from both inside and outside the network,

iv. includes testing to validate any segmentation and scope-reduction controls,

v. defines application-layer penetration tests to include, at a minimum, the vulnerabilities identified in 10.b, level 1 (reference PCI DSS v3 6.5),

vi. defines network-layer penetration tests to include components that support network functions as well as operating systems,

vii. includes review and consideration of threats and vulnerabilities experienced in the last 12 months, and

viii. specifies retention of penetration testing results and remediation activities’ results.

PCI DSS v3 11.3

Extensive requirements for the implementation of a penetration testing methodology is specific to PCI DSS v3


CSF Control



10.m PCI Data

Added: If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.

PCI DSS v3 11.3.4 New requirement related to pen testing addressed in 10.m, level 3; this requirement is specific to PCI



Requires the organization to obtain timely information about technical vulnerabilities



Requires the organization to obtain timely information about technical vulnerabilities



Requires evaluation of an organization’s exposure; actual risk assessment is specified in level 2



Requires remediation of identified vulnerabilities



Requires remediation of identified vulnerabilities

10.m 1

Removed: A web-application firewall shall be placed in front of public-facing web application to detect and prevent web-based attacks. PCI DSS v2 6.6

PCI DSS v3 6.6

Language was changed in v3; Web-application firewall is only an example of the type of solution that may be required; PCI DSS v2 6.6 is addressed by CSF control 10.b Level 2


CSF Control







Requires vulnerability monitoring and assessments



Requires establishment of roles and responsibilities



Requires assignment of a risk ranking to newly discovered vulnerabilities



Requires a technical vulnerability management program



Requires auditing (logging) of all procedures undertaken



Requires the organization to identify any coordination responsibilities required

10.m 2 Updated: PCI cross reference



CSF Control



10.m 2

Added: Internal and external vulnerability assessments of covered sensitive information systems (e.g., systems containing covered information, cardholder data) and networked environments shall be performed on a quarterly basis, and after any significant change in the network (e.g., new system component installations, changes in network topology, firewall rule modifications, product upgrades), by a qualified individual. These tests shall include both network- and application-layer tests.

PCI DSS v3 11.2 Added language based on changes in PCI DSS v3 11.2



Specifies privileged access authorization to facilitate more thorough scanning

10.m 3 Updated: PCI cross reference



CSF Control



10.m 3

Added: Perform eExternal and internal network penetration testing and an enterprise security posture review shall be performed at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a Web server added to the environment). The penetration test should also include application-layer penetration tests. Perform an enterprise security posture review annually.

PCI DSS v3 11.3.1 PCI DSS v3 11.3.2

Updated with additional language in PCI DSS v3 11.3.1 and 11.3.2; enterprise security posture review addressed separately to avoid confusion with the pen test requirements.

10.m 3

Added: … The penetration test should also include application-layer penetration tests. Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.

PCI DSS v3 11.3.3 New requirement related to pen testing addressed in 10.m, level 3

11.a PCI Data

Added: The organization shall designate specific personnel to be available on a 24/7 basis to respond to alerts.

PCI DSs v3 12.10.3 24/7 response exceeds requirements specified in 11.a, level 1



Requires reporting IAW specified criteria


CSF Control







11.a 2




11.a 2

Added: Reports to the individuals affected by the incident shall be … included in the breach. For fewer than 10 individuals, a substitute form of notice reasonably calculated to reach the individual shall be provided, except when there is insufficient or out-of-date information that precludes written notification to the next of kin or personal representative. The organization shall also notify, without …

HIPAA § 164.404(d)(2) Added missing requirement for less than 10 individuals when substitute notice is required.


CSF Control



11.a 2

Added: The policy shall refer to the specific ... Procedures shall be developed to provide for the definition and assessment of information security incidents (e.g., an event/incident classification scale to decide whether an event classifies as an incident), roles and responsibilities, incident handling, reporting and communication processes ISO cross reference

ISO/IEC 27002:2013 A.16.1.4 Provides additional clarification for existing requirement for the definition of information security incidents





Outlines specific reporting requirements from the HIPAA Data Breach Notification Rule


PCI DSS v2 12.5.2

11.a addresses reporting information security events but does not require formally assigning responsibilities for monitoring, analyzing and distributing security alerts; this will be addressed in 05.c


PCI DSS v2 12.5.3

11.a addresses related procedures but does not require formally assigning responsibilities for establishing, documenting and distributing security incident response and escalation procedures; this will be addressed in 05.c


CSF Control













Requires improvement of implemented controls based on analysis of prior incidents





Requires reporting of potential weaknesses (vulnerabilities)



Establishes incident response capability (policies, procedures)



Requirement to handle different types of incidents is specified (w/ examples provided)


NIST Cybersecurity Framework RS.MI-1 Specifies containment


CSF Control




NIST Cybersecurity Framework RS.MI-2 Specifies corrective actions (mitigation)



11.c 1

Added: Procedures shall be established to handle different types of information security incidents including: … viii. identity theft; and ix. unauthorized wireless access points. PCI cross reference

PCI DSS v3 11.1.2 New requirement supporting PCI DSS v3 6.1

11.c 2

Removed: Subject to PCI Compliance, Subject to FISMA Compliance, Subject to HITECH Breach Notification Requirements, Subject to … Level 1 Regulatory Factor




CSF Control



11.c 2

Added: The organization shall respond to incidents in accordance with the documented procedures, which should include but not be limited to the following: i. collecting evidence as soon as possible after

the occurrence (see 11.e); ii. conducting information security forensic

analysis, as required (see 11.e); iii. escalation, as required; iv. ensuring that all involved response activities

are properly logged for later analysis; v. communicating the existence of the

information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know;

vi. dealing with information security weakness(es) found to cause or contribute to the incident; and

vii. once the incident has been successfully addressed, formally closing and recording it.

ISO cross reference

ISO/IEC 27002:2013 A.16.1.5 New ISO control is intended to ensure organizations actually implement the procedures they develop





The monitoring of systems, alerts, and vulnerabilities are used to detect information security incidents


CSF Control





Requires training of incident response personnel



Requires communication of incident response policy/procedures to appropriate parties in the organization



Multiple requirements addressing communication and coordination


NIST Cybersecurity Framework RS.IM-2

Periodic reviews of the incident response capability, which includes recovery strategies, are required


NIST Cybersecurity Framework RS.RP-1

Multiple requirements imply execution of response capability









Requires reporting consistent with applicable laws & regulations



Order of operations (roadmap, approach) is addressed in level 3; responsibilities are also addressed


CSF Control





Requires communications (voluntary sharing) with stakeholders (e.g., CERT, FedCIRC)



Requires updates to policies and procedures based on lessons learned (only periodic reviews are required in level 2)


NIST Cybersecurity Framework RS-CO-2

Requires reporting to appropriate authorities (external, e.g., law enforcement)





Requires evaluation of incidents to determine likelihood and impact; which necessarily requires threat modeling



Requires identification of recurring or high impact incidents



Requires identification of recurring or high impact incidents


NIST Cybersecurity Framework RS.RP-1

Lessons learned implies capability was implemented



Requires analysis as part of the incident capability



Components of the incident response capability include IPS, IDS, forensics, and vulnerability assessments


CSF Control





Required definition of roles and responsibilities

11.d 2

Added: The organization shall: 1. implement an incident handling capability for

security incidents that includes detection and analysis, containment, eradication, and recovery (including public relations);


NIST Cybersecurity Framework RC.CO-1

Lessons learned imply implementation; capability includes recovery and language added for clarification around public relations

11.d 2

Added: The organization shall: 2. implement an incident handling capability for

security incidents that includes detection and analysis, containment, eradication, and recovery (including public relations and reputation management);



Lessons learned imply implementation; capability includes recovery and language added for clarification around mitigating negative impact to organizational reputation



Requires coordination of incident handling activities with contingency planning


NIST Cybersecurity Framework RC.IM-1

Requires incorporation of lessons learned (capability includes recovery)


CSF Control





Requires implementation of changes IAW lessons learned (capability includes recovery)


NIST Cybersecurity Framework RC.IP-1

Lessons learned imply implementation; capability includes recovery and language added for clarification around public relations



Requires detection and analysis (investigation)


NIST Cybersecurity Framework RS.AN-2 Addresses forensics


NIST Cybersecurity Framework RS.CO-3 Requires communication


NIST Cybersecurity Framework RS.CO-4 Requires coordination



Requires incorporation of lessons learned



Requires implementation of changes IAW lessons learned


NIST Cybersecurity Framework RS.MI-1 Addresses containment


NIST Cybersecurity Framework RS.MI-2 Addresses eradication (mitigation)


CSF Control





11.e PCI Data

Added: A service provider shall protect each organization’s hosted environment and data by enabling process to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.

PCI DSS v3 A.1.4

Specific language addressing logs and audit trails unique to each organization’s cardholder data environment

11.e 1

Removed: Subject to HITECH Breach Notification Requirements Level 1 Regulatory Factor





Addresses collection of evidence IAW the laws of the relevant jurisdiction(s)



Addresses collection of evidence IAW the laws of the relevant jurisdiction(s)





Requires procedures for the purposes of disciplinary action (HR security)



Requires identification of all critical information system assets


CSF Control







Requires an understanding of the risks, including likelihood and impact



Requires assignment of responsibilities to an individual at an appropriate level with the organization



Requires an understanding of the impact incidents have on the business to establish business objectives of the information assets



Identifies key elements of the business continuity program



Requires a holistic view of the organization’s environment to determine potential causes of interruption



Requires a plan to implement the overarching business continuity strategy; additional detail provided in level 2



Requires identification of vulnerabilities wrt identification of threats (part of risk assessment)



Requires identification of internal and external threats to continuity of operations


CSF Control





Requires determination of potential impacts


NIST Cybersecurity Framework ID.RA-5 Requires a risk determination





Requires a BIA wrt the consequences of disasters, security failures, loss of service and service availability



Addresses required business objectives for restoration (priorities)



Addresses roles and responsibilities in the planning process



Addresses assessment of internal and external dependencies


NIST Cybersecurity Framework ID.BE-5 Establishes RTOs/RPOs



Specifically address business continuity implementation and management; additional detail provided in levels 2 & 3



Addresses distribution to specific individuals or their functional equivalents


CSF Control




NIST Cybersecurity Framework RC.RP-1

Control specification addresses implementation of the plans, which are the focus of the requirement statements throughout the control



Requires coordination of contingency planning activities with incident handling activities






NIST Cybersecurity Framework PR.AT-1 Addresses education of staff



Requires protection of BC documentation, which could indicate vulnerabilities if disclosed inappropriately



Requirements for the resumption of normal services addressed for alternate processing sites


NIST Cybersecurity Framework PR.IP-7 Requires plans be kept up-to-date



Addresses identification and agreement of all responsibilities and procedures



Requires conditions for activating the plans as well as escalation plans


CSF Control





Requires the framework to identify critical assets and resources needed



Specifies plans shall have a specific owner



Addresses procedures to move essential activities or support services to alternative temporary locations


NIST Cybersecurity Framework PR.AT-1 Addresses training requirements



Plans must specify the individuals responsible for executing each component of the plan

12.d 2

Removed: Each plan shall have a specific owner. Emergency procedures, … shall include defined responsibilities of the service providers.

Administrative change Requirements are a duplicate of language contained in level 1

12.d 2

Removed: Each business continuity plan shall describe the approach for continuity, ensuring … new requirements are identified, any existing emergency procedures (e.g. evacuation plans or fallback arrangements) shall be amended as appropriate.

Administrative change Requirements are a duplicate of language contained in level 1




CSF Control





Requires team members to understand their roles and responsibilities



Requires updates due to changes in legislation


NIST Cybersecurity Framework PR.IP-10 Specifically addresses testing



Addresses continuous improvement (continued effectiveness) of the business continuity plans


NIST Cybersecurity Framework PR.IP-9 Testing is part of plan management

12.e 1

Added: The test schedule for business continuity plan(s) shall indicate how and when each element of the plan is tested. … The results of tests shall be recorded and actions taken to improve the plans, where necessary. Updates will also consider lessons learned from implementation of the business continuity plan(s). NIST cyber cross-reference


Language added as this requirement is not explicitly addressed



Requires plan updates to maintain or improve effectiveness



Requires team members to understand their roles and responsibilities (specific to business continuity / recovery)


CSF Control





All All

Replace: HITECH Act, Subpart D HIPAA § HITECH cross reference


All relevant CSF mappings not otherwise addressed in this Summary of Changes is updated to reflect incorporation of HITECH data breach notification requirements into the HIPAA Administrative Simplifications at Subpart D

All All

Updated: PCI DSS v23 PCI cross reference


All relevant CSF mappings not otherwise addressed in this Summary of Changes is updated to reflect new PCI-DSS release


Documents

HITRUST Common Security Framework Summary of … · · 2014-07-23initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST,