Requirement 2.4: Maintain an inventory of system components that are in scope for PCI DSS.
Requirement 6.1: Establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (e.g., high, medium, or low) to newly discovered vulnerabilities.
Requirement 10.7: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.
Requirement 12.3.4: Hardware and software technologies in use are reviewed at least once every 12 months.
Requirements 12.5.1: An inventory of system components that are in scope for PCI DSS, including a description of function/use, is maintained and kept current.
Requirement 1.2.3
An accurate network diagram(s) is maintained that shows all connections between the CDE and other networks, including any wireless networks.
Requirement 1.2.4
An accurate data-flow diagram(s) is maintained that meets the following:
• Shows all account data flows across systems and networks.
• Updated as needed upon changes to the environment.
Requirement 1.3.1
Ensure only authorized traffic is allowed between trusted and untrusted networks (e.g., internet and cardholder data environment).
Requirement 1.4.1
NSCs (Network Segmentation Controls) are implemented between trusted and untrusted networks.
Requirement 1.4.2
Inbound traffic from untrusted networks to trusted networks is restricted.
Requirement 1.4.4
System components that store cardholder data are not directly accessible from untrusted networks.
Requirement 11.4.5
When an entity uses segmentation controls to isolate the CDE from internal untrusted networks, the security of the CDE is dependent on that segmentation functioning.
Requirement 12.1
Establish, publish, and maintain a security policy that defines how cardholder data is protected.
Requirement 12.10.1
Implement an incident response plan to quickly react to security breaches or cardholder data exposure.
Requirement 10.7: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.
Requirement 12.10.1: Create and implement an incident response plan that is immediately activated in case of a breach.
Article 8.1, Article 8.4: Maintain an inventory of all network assets, including hardware and software components.
Article 6: Requires the establishment of a robust ICT risk management framework that encompasses the entire lifecycle of ICT assets.This includes procurement, deployment, maintenance, and decommissioning, ensuring that each phase is managed with appropriate risk controls.
Article 8.4, Article 8.5: Keep up-to-date diagrams of the network's architecture, including all devices, connections, and configurations.
Article 9: Keep systems up-to-date to protect against vulnerabilities. Obligates financial entities to implement mechanisms for the continuous identification and assessment of ICT risks.This involves analyzing potential threats and vulnerabilities that could impact the operational resilience of the organization.
Article 9.2, Article 11.5: Model data flows to identify critical paths and ensure security controls are in place.
Article 9.1: Observe network traffic for anomalies and potential threats.
Article 9.2, Article 9.4: Ensure only authorized access to network resources using RBAC and the principle of least privilege.
Article 25: Conduct regular security assessments to identify vulnerabilities.
Develop & Test Incident Response Plans (Article 11.2-b): Define and regularly test incident response plans.
Implement Redundancy and Failover System (Article 11.4, Article 12): Ensure network resilience through redundancy in critical components.
Report on Network Activities with an Accurate Historical View (Article 19): Document and maintain a historical view of network activities for troubleshooting and reporting.
Identify
ID.AM-01: Inventories of hardware assets are maintained.
ID.AM-02: Inventories of software platforms and applications are maintained.
ID.AM-03: Assets are prioritized based on their classification, criticality, and business value.
ID.RA-01: Asset vulnerabilities are identified and documented.
ID.RA-02: Threat intelligence is received and evaluated.
Protect
PR.IP-01: A baseline configuration of systems is established and maintained.
PR.IP-09: Backups of information are conducted, maintained, and tested.
Identify
ID.BE-01: Dependencies and critical functions for delivery of critical services are identified.
Protect
PR.AC-01: Identities and credentials are issued, managed, verified, revoked, and audited.
PR.AC-05: Network integrity is protected (e.g., network segmentation).
PR.PT-03: Communications are restricted based on need to know.
Detect DE.CM-01: The network is monitored to detect cybersecurity events.
Response
IR.PL-01: Response plans (Incident, Business Continuity) are tested.
Recovery
RC.CO-01: Recovery plans are tested and updated.
Governance
GV.RR-01: Cybersecurity reporting is accurate and timely.
GV.RR-03: Reporting supports organizational objectives, including compliance and risk.
Response
IR.MI-01: Incidents are contained and mitigated automatically where appropriate.
IR.PO-01: Response is executed automatically or semi-automatically where feasible.
Cyber Risk Management
Article 21(2)(a): Risk-management measures must include an inventory of all assets and services.
Article 21(2)(b): Implement policies on lifecycle and configuration management of ICT assets.
Article 21(2): Entities must carry out regular risk assessments to understand their exposure.
Article 21(2)(e): Policies should ensure system backups and timely restoration of critical functions.
Article 21
Cyber Risk Management
Article 21(2)(a): Risk-management measures must include an inventory of all assets and services.
Article 21(2)(b): Implement policies on lifecycle and configuration management of ICT assets.
Article 21(2): Entities must carry out regular risk assessments to understand their exposure.
Article 21(2)(e): Policies should ensure system backups and timely restoration of critical functions.
Article 21
Reporting Obligations
Article 23(1)(b): Entities must have capabilities for responding to and reporting incidents promptly.
Article 23(3): Entities must report significant incidents to national authorities and maintain documentation of response and impact.
(Article 23)
Information Sharing
Article 30: Entities must report significant incidents to national authorities and maintain documentation of response and impact.
Security & Privacy (Part 164)
Configuration Management and Security, Risk Analysis
§164.308(a)(1)(ii)(A): Risk analysis must include identifying all systems that access ePHI.
§164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of potential risks and vulnerabilities.
§164.310(d)(1): Maintain an inventory of hardware.
§164.310(d)(2)(iii): Implement procedures for removal of ePHI from electronic media before reuse or disposal.
Security & Privacy (Part 164)
§164.308(a)(1)(i): Implement policies and procedures to prevent, detect, contain, and correct security violations.
§164.308(a)(7)(ii)(C): Implement emergency mode operation plan to ensure continuity.
Access Control
§164.312(a)(1): Implement access controls to ensure only authorized access to ePHI.
Transmission Security
§164.312(e)(1): Protect ePHI in transmission. Segmentation helps enforce least privilege.
Integrity Controls
§ 164.312(c)(1): The integrity of ePHI must be protected from improper alteration or destruction using firewalls, security, and routing policies.
Security & Privacy (Part 164)
§164.308(a)(6)(ii): Identify and respond to suspected security incidents.
§164.308(a)(7)(i): Establish and implement contingency plans.
Audit Controls
§164.312(b): Implement audit controls to record and examine activity.
Physical Controls
7.13 – Equipment maintenance: Equipment shall be maintained correctly to ensure availability, integrity and confidentiality of information.
Technology Controls
8.8 – Management of technical vulnerabilities: Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.
8.9 – Configuration management: Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.
8.13 – Information backup: Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.
8.16 – Monitoring activities: Networks, systems and applications shall be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents.
Organizational Controls
5.14 – Information transfer: Information transfer rules, procedures, or agreements shall be in place for all types of transfer facilities within the organization and between the organization and other parties.
5.15 – Access control: Rules to control physical and logical access to information and other associated assets shall be established and implemented based on business and information security requirements.
5.30 – ICT readiness for business continuity: ICT readiness shall be planned, implemented, maintained and tested based on business continuity objectives and ICT continuity requirements.
Technology Controls
8.5: Use secure authentication aligned with access control policies.
8.14: Ensure redundancy to meet system availability needs.
8.20: Secure and manage networks and devices.
8.21: Define and monitor security of network services.
8.22: Segregate networks to isolate systems and users.
Organizational Controls
5.27 – Learning from information security incidents: Knowledge gained from information security incidents shall be used to strengthen and improve the information security controls.
5.28 – Collection of evidence: The organization shall establish and implement procedures for the identification, collection, acquisition and preservation of evidence related to information security events.
People Controls
6.8 – Information security event reporting: The organization shall provide a mechanism for personnel to report observed or suspected information security events through appropriate channels in a timely manner.
Validate inventory - in terms of lifecycle, environmentals and software versions (CIS 12.1)
Produce complete diagrams (CIS 12.4)
Ensure correct management protocols are in use (CIS 12.3, 12.6)
Validate policy configuration and segmentation (CIS 12.2)
Confirm AAA is deployed correctly (CIS 12.5)
Validate protection of management interfaces through use of ACLs (CIS 12.8)
Validating alerting and logging configuration across the estate (CIS 13.1, 13.6)
Identifying interconnection points between segments (CIS 13.4)
Tracing traffic through a network IPS and transparent firewalls (CIS 13.8)
Validating port access control configuration (CIS 13.9)
Testing application security policy along a traffic path (CIS 13.10)
Establish and Maintain an Enterprise Process for Reporting Incidents (CIS 17.3)
Establish and Maintain an Incident Response Process (CIS 7.4)
Conduct Post-Incident Reviews (CIS 17.8)
Establish and Maintain Security Incident Thresholds (CIS 17.9)
