SESSION ID:
#RSACTroy Leach NIST Cybersecurity Framework and PCI DSSGRC-R03
Chief Technology Officer
PCI Security Standards CouncilEmma Sutcliffe
Senior Director, Data Security Standards
PCI Security Standards Council#RSAC
PCI Security Standards Council
2We Help
Secure
Payment
DataIndustry -driven, flexible and effective standards
and programs
Helping businesses detect, mitigate and prevent
criminal attacks and breachesGlobal, cross -industry effort to increase
payment security#RSAC
PCI Security Standards and Programs
Standards, Training and Certification Programs, Educational Resources
Payment Equipment Payment Software
Merchant & Payment Service Provider
Environments
Training –Assessors, InvestigatorsCertification –Equipment, Service Providers, Assessors, Investigators
3#RSAC
PCI DSS and the NIST Cybersecurity Framework
4Voluntary Framework for managing
cybersecurity -related risk
Consists of standards, guidelines, and
best practices
Promotes the protection and resilience
of critical infrastructure
Applies wherever payment card data
is stored, processed or transmitted
Provides a baseline of technical and
operational requirements
Focused on the protection of
payment card data#RSAC
Standard vs. Framework
5
#RSAC
Mapping Relationships
#RSAC
Observations from Mapping Exercises
Both PCI DSS and the NIST CSF provide
a comprehensive approach to security
Mapping results are not exact matches
Controls used to meet PCI DSS can
contribute to meeting CSF, and vice
versa
Meeting either PCI DSS or the CSF
does not result in the other being met
This Photo by Unknown Author is licensed under CC BY -NC#RSAC
Example Mappings –Equivalence
8NIST CSF (ID.AM -3) PCI DSS (Req. 1.1)
•Organizational communication and
data flows are mapped•Network diagram that identifies all
connections to/from CDE (Req. 1.1.2)
•Diagram that shows all cardholder data flows (Req. 1.1.3)#RSAC
Example Mappings –Subset
9NIST CSF (PR.DS -7) PCI DSS (Req. 6.4)
•The development and testing
environment(s) are separate from the production environment•Separate development/test environments from production environments, enforce with access controls (Req. 6.4.1)
•Separation of duties between development/test and production
environments (Req. 6.4.2)#RSAC
Example Mappings –Intersections
10NIST CSF (PR.DS -2) PCI DSS
•Data -in-transit is protected •Use strong cryptography to protect
cardholder data during transmission
over open, public networks (Req. 4)
•Use strong cryptography to protect authentication credentials during transmission (Req. 8.2.1)
grc-r03-nist-cybersecurity-framework-and-pci-dss
安全标准 >
NIST >
文档预览
中文文档
27 页
50 下载
1000 浏览
0 评论
0 收藏
3.0分
温馨提示:本文档共27页,可预览 3 页,如浏览全部内容或当前文档出现乱码,可开通会员下载原始文档
本文档由 思安 于 2022-12-05 09:21:02上传分享