Today, many organizations are required to comply with various compliance and information security frameworks such as PCI DSS, NIST CSF, ISO27001 and SOC2 to ensure the security of their data. It is becoming increasingly popular for companies to enhance their data security and manage risk more effectively by combining frameworks, such as PCI DSS and NIST cybersecurity framework to achieve a comprehensive security outcome.
PCI DSS
Payment Card Industry Data Security Standards (PCI DSS) refer to requirements that ensure organizations accepting payment cards handle the cardholders’ data securely. In a nutshell, PCI DSS is concerned with the protection of payment card data against the risks and threats in the payment card industry.
NIST
The National Institute of Standards and Technology (NIST) is an agency that promotes innovation and industrial competitiveness. Concerning cybersecurity, NIST oversaw the development of the cybersecurity framework commonly known as NIST CSF.
The framework comprises of industry standards and best practices for managing the overall organizational cybersecurity risks. Its core functions help organizations to identify, protect, detect, respond, and recover from risks.
PCI DSS and NIST CSF relationship
PCI DSS generally focuses on meeting the security outcomes and specifically the protection of the payment cardholders’ data. NIST CSF, on the other hand, is concerned with the overall security posture of an organization. Although from different perspectives, both the PCI DSS and the NIST CSF address the common goal of enhancing data security.
Besides sharing a common goal, PCI DSS and NIST CSF foundations are also related. That is, they share approaches on how to design secure networks, protect data, and are both focused on risk management. Additionally, the outcome of their information security policies is geared towards the organization’s overall security.
Mapping PCI DSS to NIST
Mapping PCI DSS to the NIST CSF is not a difficult task since both are based on similar security best practices. One way to look at it, is to see NIST CSF as the parent and PCI DSS as a subpart that focuses on a specific area.
When it comes to cross mapping frameworks there are 3 main approaches an organization can take:
- Manual Mapping – Reviewing and comparing each framework requirement individually. This is the best approach for understanding your implemented controls/policies and how they satisfy other frameworks. This is the most time-consuming approach but often the most accurate.
- Mapping Matrix document – Leverage an existing mapping document to create a starting point. There are many freely supported mapping matrix documents and PCI DSS includes a NIST to PCI DSS.
- Industry Expertise – Leverage an industry expert to evaluate your controls and policies. Experts can furthermore perform the mapping for you. Additionally, there are organizations dedicated to compliance framework mapping. Such as UCF, see this article for more detail.
Often the best approach for you depends on your selected frameworks and how complex your compliance program is. For small to medium teams, a combination of manual mapping and a mapping matrix document is often suitable.
Due to the complexities involved with adding frameworks, it is advised to leverage all three approaches if possible:
1. leverage mapping documents to create starting point and gap analysis
2. Review and confirm all connections with a mapping matrix
3. Ensure you have the expertise to understand the frameworks and meet the requirements
Mapping PCI DSS to NIST CSF is made easy by the included matrix mapping document that the organizations provide. When leveraging such a mapping it is important to review each mapping to ensure your controls and policies align.
Why Map PCI DSS to NIST?
The main benefit of mapping one standard to the other is to create an efficient, robust, and comprehensive compliance program. The requirements for each framework contribute in achieving greater security and further alignment in organizational objectives.
Additionally, mapping reduces redundant controls and requirements by identifying opportunities where controls support both PCI DSS and NIST. This increases operational efficiency, eliminating potential manual errors resulting in a coordinated way of approaching information security in an organization.
Warning! Why Should You Not Map?
Adding frameworks, obviously greatly increases complexity and the scope of a program. If implemented incorrectly and without a proper understanding of a company’s existing controls, it can add unnecessary processes and tasks to all employees’ workload.
GRC + Framework Mapping
GRC platforms enhance the mapping process through management, organization, and analysis. They also offer effective ways to evaluate controls, tracking compliance, manage risk and gathering evidence. Regardless of approach, or combination of approaches you choose, GRC tools are designed to streamline compliance mapping and easily create gap analysis.
Summary
Mapping can bring out the best combination of various requirements and controls that result in a robust compliance program. By combining frameworks and leveraging mappings, organizations can reduce duplication, create efficiencies, reduce overhead, and increase the maturity of implemented controls.
As organizations expand in size and complexity, so do their compliance programs. Leverage a dedicated GRC tool to manage multiple frameworks including PCI DSS and scale your compliance program with ease using StandardFusion. Contact us and book your demo today!
StandardFusion Fit Analyzer