Function Category Subcategory PCI DSS v3.2.1 NIST SP 800-53r5 Security and Privacy Controls [B9] NICE Framework 2017 Work Roles [B11] IDENTIFY (ID) Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s…
Function
Category
Subcategory
PCI DSS v3.2.1
NIST SP 800-53r5 Security and Privacy Controls [B9]
NICE Framework 2017 Work Roles [B11]
IDENTIFY (ID)
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
ID.AM-1: Physical devices and systems within the organization are inventoried.
CM-8, PM-5
Technical Support Specialist
ID.AM-2: Software platforms and applications within the organization are inventoried.
CM-8, PM-5
Technical Support Specialist
PROTECT (PR)
Identity Management, Authentication, and Access Control (PR.AC): Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes.
2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
AC-1, AC-2, IA-1, IA-2, IA-3, IA-4, IA-5, IA-6, IA-7, IA-8, IA-9, IA-10, IA-11
System Administrator or Product Support Manager
3.6.1 Generate strong keys.
3.6.2 Keys are only distributed to authorized recipients.
3.6.3 Stored keys are stored encrypted.
3.6.4 A reasonable crypto period shall be set.
3.6.5 A key life cycle shall be established, denoting when keys should be destroyed and when keys should be securely kept for archived/legacy encrypted data.
3.6.7 Keys shall only be accepted from authorized sources.
PR.AC-3: Remote access is managed.
8.1.5 Manage IDs used by third parties to access, support, or maintain system components via remote access as follows:
AC-1, AC-17, AC-19, AC-20, SC-15
Information Systems
Security Developer or
System Administrator
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
AC-1, AC-2, AC-3, AC-5, AC-6, AC-14, AC-16, AC-24
Technical Support Specialist or System Administrator
7.1.2 Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
Technical Support Specialist or System Administrator
7.2 Establish an access control system(s) for systems components that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed.
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation).
1.1 Establish and implement firewall and router configuration standards.
AC-4, AC-10, SC-7
Network Operations
Specialist
1.1.4 requirements for a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network zone
Network Operations
Specialist
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
Network Operations
Specialist
1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
Network Operations
Specialist
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions.
8.1.6 Limit the number of failed login attempts.
8.1.7 Establish a reasonable “cool down period” for locked-out accounts prior to automatic unlocking processes.
8.1.8 Reasonable idle time prior to workstation lockout shall be established.
8.2 Where appropriate, multifactor authentication (two or more of something you know, something you have, and something you are) shall be implemented.
8.2.1 Authentication transactions and data are encrypted at rest and in transit.
AC-1, AC-2, AC-3, AC-16, AC-19, AC-24, IA-1, IA-2, IA-4, IA-5, IA-8, PE-2, PS-3
Systems Requirements
Planner
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single factor, multifactor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
AC-7, AC-8, AC-9, AC-11, AC-12, AC-14, IA-1, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, IA-10, IA-11
Systems Requirements Planner
Data Security (PR.DS): Information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
PR.DS-1: Data at rest is protected.
3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
MP-8, SC-12, SC-28
Information Systems
Security Developer
3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere) after authorization. This data is alternatively called full track, track, track 1, track 2, and magnetic-stripe data.
Information Systems
Security Developer
3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.
Information Systems
Security Developer
3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block after authorization.
Information Systems
Security Developer
3.4 Render Primary Account Number unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
Information Systems
Security Developer
PR.DS-2: Data in transit is protected.
1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.
SC-8, SC-11, SC-12
Information Systems
Security Developer or
Cyber Defense Analyst
1.3 Prohibit direct public access between the internet and any system component in the cardholder data environment.
Information Systems
Security Developer or
Cyber Defense Analyst
PR.DS-5: Protections against data leaks are implemented.
AC-4, AC-5, AC-6, PE-19, PS-3, PS-6, SC-7, SC-8, SC-13, SC-31, SI-4
Information Systems Security Developer
Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets.
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained, incorporating security principles (e.g., concept of least functionality).
CM-2, CM-3, CM-4, CM-5, CM-6, CM-7, CM-9, SA-10
Enterprise Architect or
Cyber Policy and Strategy Planner
PR.IP-3: Configuration change control processes are in place.
CM-3, CM-4, SA-10
Systems Developer or
Systems Security Analyst
Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities.
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
AC-3, CM-7
Privacy Officer/Privacy Compliance Manager
PR.PT-4: Communications and control networks are protected.
AC-4, AC-17, AC-18, CP-8, SC-7, SC-20, SC-21, SC-22, SC-23, SC-24, SC-25, SC-29, SC-32, SC-36, SC-37, SC-38, SC-39, SC-40, SC-41, SC-43
Security Architect or
Communications Security (COMSEC) Manager
DETECT (DE)
Anomalies and Events (DE.AE): Anomalous activity is detected, and the potential impact of events is understood.
DE.AE-2: Detected events are analyzed to understand attack targets and methods.
AU-6, CA-7, IR-4, SI-4
Cyber Defense Analyst
Security Continuous Monitoring (DE.CM): The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.
DE.CM-1: The network is monitored to detect potential cybersecurity events.
AC-2, AU-12, CA-7, CM-3, SC-5, SC-7, SI-4
Cyber Defense Analyst
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events.
CA-7, PE-3, PE-6, PE-20
Network Operations
Specialist
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed.
AU-12, CA-7, CM-3, CM-8, PE-3, PE-6, PE-20, SI-4
Threat/Warning Analyst
Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.
DE.DP-4: Event detection information is communicated.
10.1 Audit logs are generated, documenting user activity.
10.2 Audit events are logged.
10.2.1 User account privileges are documented.
10.2.7 The creation and deletion of system level objects are logged.
10.3 Events are logged so that they are auditable.
10.5 Audit logs are strongly protected, including encryption and strong role-based authentication for authorized log users.
AU-6, CA-2, CA-7, RA-5, SI-4
Cyber Defense Infrastructure Support Specialist
Leave a Comment
Your email address will not be published. Required fields are marked with *