HITRUST Common Security Framework Summary of Changes

Transcription

1 HITRUST Common Security Framework Summary of Changes Apr-14 CSF 2014 V6.1 Incorporates changes in PCI-DSS v3 and updates stemming from the HIPAA Omnibus Final Rule. Includes mappings to the v1. Fundamental to HITRUST s mission is the availability of a Common Security Framework (CSF) that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA, and COBIT to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations. HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to incorporate new standards and regulations as authoritative sources. This interim 2014 CSF (v6.1) release includes changes based on feedback from the community and an updated set of cross-references and security requirements based on the 2013 release of the HIPAA Final Rule (Omnibus), PCI-DSS v3.0, and ISO/IEC 27001:2013 and 27002:2013, as well as the early 2014 release of the NIST Framework for Improving Critical Infrastructure Cybersecurity. The table below provides a summary of the changes to the CSF broken down by Specification and Implementation Requirement. Other Updates In conjunction with this CSF update, HITRUST has taken the opportunity to also make updates to its CSF Assurance Program. 1

2 Green text indicates an addition to the control/requirement. Red text indicates a deletion from the control/requirement. CSF 0.a 1 0.a 1 0.a 2 ISO/IEC ID.GV-4 ISO/IEC ISO/IEC (a) ISO/IEC ISO/IEC ISO/IEC (d) ISO/IEC (e)(1) ISO/IEC (f) ISO/IEC ISO/IEC ISO/IEC (e) ISO/IEC ISO/IEC ISO/IEC (a) ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC (b) ISO/IEC (f) ISO/IEC (c) ISO/IEC ISMS addresses all information security risks, including cybersecurity This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC. 2

3 0.a 2 0.a 3 01.a 1 PR.IP-7 ISO/IEC ISO/IEC (b) ISO/IEC ISO/IEC (c) ISO/IEC (d) ISO/IEC (e) ISO/IEC (f) ISO/IEC (g) ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC (b) ISO/IEC (c) ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC ISO/IEC (b) ISO/IEC (c) ISO/IEC (d) ISO/IEC (e) ISO/IEC (g) ID.GV-3 PDCA requirement Consistent with relevant legislation policy language 3 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

4 01.a 2 01.b 1 01.b 1 01.b 1 01.b 1 01.b 1 01.b 1 01.b 1 01.b 1 01.b 1 Removed: Removed: Removed: Removed: Updated: Updated: ISO/IEC A DE.CM-3 PR.AC-1 PR.AC-4 PCI DSS v PCI DSS v2 8.1 Monitoring of guest/anonymous, shared/group, emergency and temporary accounts Registration/de-registration part of requirement to manage identities and credentials Consistent with need-to-know, needto-share language 01.b addresses user registration but does not require formally assigning the responsibilities for administering accounts to an individual or team; this will be addressed by 05.c Requirement not addressed in 01.b but is addressed in 01.q, which is already mapped. PCI DSS v2 8.1 Requirement is addressed by 01.p PCI DSS v2 8.2 PCI DSS v PCI DSS v PCI DSS v v Language is contained in level 3 vice level 1 remapped in PCI DSS v3 remapped in PCI DSS v3 4 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

5 01.b 1 01.b 1 01.b 1 01.b 1 01.b 1 01.b 2 01.b 3 Updated: Updated: Updated: Removed: Updated: Removed: PCI DSS v PCI DSS v PCI DSS v v PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v3 8.4 ISO/IEC A ISO/IEC A PCI DSS v2 8.2 remapped in PCI DSS v3 remapped in PCI DSS v3 remapped in PCI DSS v3 Requirement is addressed in 01.f level 1 remapped in PCI DSS v3 Language is contained in level 3 vice level 1 01.b 3 Account creation, modification, disabling, and removal actions shall be automatically logged and audited providing notification, as required, to appropriate individuals. PCI DSS v Identical language is contained in 09.aa, 3, which is already mapped to This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

6 01.c PCI Data 01.c 1 01.c 1 01.c 1 A service provider shall protect each organization s hosted environment and data by: i. ensuring that each organization only runs processes that only have access to that organization s cardholder data environment, and ii. restricting each organization s access and privileges to only its own cardholder data environment. Updated: PCI DSS v3 A.1.1 PCI DSS v3 A.1.2 ISO/IEC A PR.AC-4 PCI DSS v PCI DSS v Specific language for a service provider to restrict access and privileges of users and processes to an entity s cardholder data environment is specific to PCI Access permissions consistent with privilege management remapped in PCI DSS v3 01.c 1 The allocation of privileges Privileges shall be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (e.g. i.e. the minimum requirement for their functional role, e.g., user or administrator, only when needed). PCI DSS v New content for is addressed by existing CSF 01.c content in 1 6 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

7 01.c 1 01.c 2 01.c 2 01.c 2 01.c 2 01.c 2 01.c 2 The allocation of privileges for all systems and system components shall be controlled through a formal authorization process. None Subject to PCI Compliance 2 Regulatory Factor Removed: Administrator or operator registration and deregistration shall be in accordance with the defined process and the sensitivity and risks associated with the system (see 01.b). Updated: Updated: Removed: Access controls are implemented via an automated access control system. PCI DSS v Administrative change PR.DS-5 NIST SP r4 AC-2 PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v Modified language to specifically address the requirement No PCI references remain in level 3 after PCI DSS v was moved to 01.v as PCI DSS v3 8.7 Consistent with requirement to allow authorized users to determine whether access authorizations assigned to business partners are valid This particular requirement is duplicative of the same requirements in 01.b, for which AC-2 is already mapped; other AC-2 requirements remain valid for this control remapped in PCI DSS v3 remapped in PCI DSS v3 Requirement content is completely new and does not map to 01.c 2; requirement is not supported by any other cross-reference at level 2 7 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

8 01.c 2 01.c 2 01.c 3 01.c 3 Removed: Subject to PCI Compliance, 2 Regulatory Factor Removed: PCI DSS v3 A.1.1 Process privileges map to 01.c PCI DSS v3 A.1.2 Administrative change DE.CM-3 Organizational (i.e., user) access and privileges maps to 01.c No PCI references remain in level 3 after PCI DSS v was moved to 01.v as PCI DSS v3 8.7 Consistent with requirement to audit execution of privileged functions on information systems 01.c 3 The organization shall restrict the use of database management utilities to only authorized database administrators. Users shall be prevented from accessing database data files at the logical data view, field, or field-value levels. Column-level access controls shall be implemented to restrict database access. PCI DSS v Requirement is more closely related to 01.v, Information Access Restriction, rather than 01.c, Privilege Management; content and PCI mapping moved; content not specific to remaining mappings for this level 01.d 1 x. passwords shall be prohibited from being reused for at least four (4) generations for users or six (6) generations for privileged users; and Administrative change Language updated to reflect NIST/CMS/PCI requirements and consistency with 01.f for password management 8 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

9 01.d 1 01.d 1 01.d 1 01.d 1 01.d 1 01.d 1 01.d 1 01.d 1 Removed: Removed: Removed: Removed: Updated: Updated: Updated: PR.AC-1 PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v Password management is part of credential management remapped in PCI DSS v3 incorporated into v with v incorporated into v with v ; control requirement addressed in 01.d Requirement not addressed by language in 01.d level 1; requirement is addressed by 01.q level 1 remapped in PCI DSS v3 remapped in PCI DSS v3 remapped in PCI DSS v3 01.d 1 Alternatively, passwords/phrases must have a strength (entropy) at least equivalent to the parameters specified above. PCI DSS v PCI DSS v updated to in v3; language added to reflect additional flexibility afforded by the updated PCI control 9 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

10 01.d 2 01.d 2 01.d 2 Updated: Removed: ISO/IEC A PCI DSS v2 8.4 PCI DSS v PCI DSS v remapped in PCI DSS v3 Requirement is addressed in 01.f 1 01.e 1 01.e 1 01.e 2 The following procedures shall be carried out to ensure the regular review of access rights by management: i. user's access rights shall be reviewed after any changes, such as promotion, demotion, or termination of employment, or other arrangement with a workforce member ends; and ii. user s access rights shall be reviewed and reallocated when moving from one employment or workforce member arrangement to another within the same organization. HIPAA (a)(3)(ii)(C) PR.AC-4 ISO/IEC A Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members Recertification supports access permission management 10 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

11 01.f 1 01.f 1 01.f 1 01.f 1 01.f 1 01.f 1 01.f 1 01.f 1 01.f 1 Removed: Removed: Removed: Updated: Updated: Updated: Updated: ISO/IEC A PR.AC-1 Consistent with credential management PCI DSS v requirement addressed in 01.d PCI DSS v Requirement is addressed by 01.p PCI DSS v Requirement is addressed by 01.p PCI DSS v PCI DSS v3 8.4 PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v PCI DSS v remapped in PCI DSS v3 remapped in PCI DSS v3 remapped in PCI DSS v3 remapped in PCI DSS v3 11 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

12 01.f 1 01.g 1 01.g 1 01.h 1 01.h 1 01.i 1 01.i 1 01.i 2 01.i 2 Password management policies shall be developed, documented, and adopted and communicated to all users to address the need to: PCI DSS v3 8.4 ISO/IEC A PR.AC-2 ISO/IEC A PR.PT-2 PR.PT-3 ISO/IEC A ISO/IEC A ID.AM-4 Modified to support updated lanagueage in PCI DSS v3 Physical access protections for unattended user equipment Protections for removable media addressed by clean desk requirements Networks and network services are information assets to which users are authorized access Cataloguing is consistent with requirement for the identification of external information systems 12 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

13 01.i 2 PR.IP-1 Baseline configuration requirement related to identification of necessary ports and services 01.j PCI Data 01.j 1 01.j 1 01.j 1 01.j 1 01.j 1 The organization shall incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support and maintenance). Updated: PCI DSS v3 8.3 DE.CM-1 PR.AC-1 PR.AC-3 PR.PT-4 PCI DSS v PCI DSS v PCI requirement is more stringent than existing language in 01.j level 1 Addresses monitoring requirements for remote and wireless access Addresses credential and authentication requirements Directly related to management of remote user access Addresses access controls for networks remapped in PCI DSS v3 13 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

14 01.j 1 01.k 1 01.l 1 01.l 2 01.m 1 01.m 1 Remote access to business information across public networks shall only take place after successful identification and authentication. Remote access by vendors and business partners (e.g., maintenance, reports or other data access) Vendors accounts for remote maintenance shall be disabled unless specifically authorized by the management. If remote maintenance is performed, the organization shall closely monitor and control any activities, with immediate deactivation after use. Remote access to business partner accounts shall also be immediately deactivated after use. Removed: PCI DSS v PR.AC-1 PR.PT-3 PR.IP-1 PCI DSS v3 1.1 PCI DSS v Updated the language to reflect the addition of business partners to the remote access restriction Addresses identification and authentication requirements for equipment Addresses physical access to ports / network equipment Specifying allowable ports and services is part of baseline / configuration management Supports sub-requirement PCI DSS v , which are mapped to the control Requirement renumbered to in PCI DSS v3 14 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

15 01.m 1 01.m 2 PCI DSS v ISO/IEC A Requirement renumbered to in PCI DSS v3 01.m 2 A baseline of network operations and expected data flows for users and systems shall be established and managed. Separate domains shall then be implanted by controlling the network data flows according to applicable flow control policies. DE.AE-1 Added language from NIST framework for additional clarity. 01.m 2 01.m 2 01.m 2 01.m 2 01.m 2 ID.AM-3 PR.AC-4 PR.AC-5 PR.DS-5 PR.PT-4 Data flow requirement Restricting access via VLANs for user groups is related to the requirement to manage access permissions Segregation requirement Segmentation is one mechanism used to help prevent data leakage Requirements apply to all network segments, including those for communications and control 15 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

16 01.n 1 01.n 1 01.n 1 01.n 2 01.n 2 01.n 2 01.o 1 01.o 1 01.o 2 DE.AE-1 PR.AC-3 PR.DS-5 DE.CM-1 PR.AC-5 PR.PT-4 PR.AC-5 PR.DS-5 ID.AM-3 Deny all, permit by exception policy supports establishment of a baseline of network operations and expected data flows Related to restriction of a user s ability to connect to the internal network Specified network protections help prevent data leakage Requirement to limit number of remote connections is specifically made to support comprehensive network monitoring Provides requirements supporting network segregation Requirements apply to all network segments, including those for communications and control Requires segregation and protections between internal and external network Specified network protections help prevent data leakage Requires routing controls to be based on positive source and destination address checking mechanisms 16 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

17 01.o 2 01.p 1 01.p 1 01.p 1 01.p 3 Updated: Updated: PR.PT-4 PR.AC-1 PCI DSS v PCI DSS v PCI DSS v PCI DSS v ISO/IEC A Specifies protection of internal directory services and IP addresses, which also supports protection of communications and control networks Secure log on procedures support identity and credential management requirements remapped in PCI DSS v3 remapped in PCI DSS v3 01.q PCI Data The organization shall not use group, shared, or generic IDs, passwords, or other authentication methods as follows: i. generic user IDs are disabled or removed. ii. shared user IDs do not exist for system administration and other critical functions. iii. shared and generic user IDs are not used to administer any system components. PCI DSS v3 8.5 PCI requirements are more stringent than existing language in 01.q 1 17 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

18 01.q PCI Data Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase for each customer.) PCI DSS v PCI requirement specific to service providers 01.q PCI Data 01.q 1 01.q 1 Where other authentication mechanisms are used (e.g., physical or logical security tokens, smart cards, and certificates), use of these mechanisms shall be assigned as follows: i. authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. ii. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access. Updated: PCI DSS v3 8.6 PR.AC-1 PCI DSS v2 8.1 PCI DSS v PCI requirement related to unique credentials is more stringent; placed in PCI segment Specifically addresses user identification and authentication requirements, e.g., verifiable unique IDs remapped in PCI DSS v3 18 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

19 01.q 1 01.q 1 01.q 1 01.q 1 Removed: Updated: PCI DSS v2 8.3 PCI DSS v PCI DSS v3 8.5 PCI DSS v PCI DSS v3 8.1 No relevant language in 01.q level 1 (language in level 2 addresses communications through an external network rather than originating from outside the network); requirement is addressed by 01.j level 1 remapped in PCI DSS v3 User authentication for use of information technology is explicitly addressed by 01.q, User identification and authentication New content in 8.1 is addressed by existing content in 01.q 1 01.q 1 01.q 2 01.q 2 Before allowing access to system components or data, tthe organization shall require verifiable unique ID's for all types of users Removed: PCI DSs v ISO/IEC A PCI DSS v2 3.2 Modified existing content to more accurately reflect the requirement Requirement for authentication is related to authentication of the payment card rather than the user; content in 3.2, 3.2.1, and is better addressed in 09.q, Information handling procedures 19 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

20 01.q 2 During the registration process to provide new or replacement hardware tokens, in-person verification shall be required PCI DSS v is addressed by in-person registration requirement for tokens; language added for clarity 01.q 2 01.q 2 01.r 1 01.r 1 01.r 2 01.s 1 01.s 1 Removed: PCI DSS v PCI DSS v3 8.6 PR.AC-1 PCI DSS v ISO/IEC A PR.AC-4 PR.AC-4 New requirement related to unique credentials but specific to service providers; content placed in PCI segment New requirement related to unique credentials is more stringent; content placed in PCI segment Specifically addresses password (credential) management Requirement not addressed by language in 01.r level 1; requirement is addressed by 01.q level 1 Requires user identification, authentication, and authorization for access to system utilities Requires user identification, authentication, and authorization for access to system utilities 20 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

21 01.s 1 01.s 1 01.s 2 01.t 1 01.t 1 01.u 1 Updated: PR.DS-5 PR.PT-3 ISO/IEC A ISO/IEC A PCI DSS v PCI DSS v ISO/IEC A Restricting access to system utilities helps prevents misconfiguration (intentional or not), which supports data leakage prevention Directly related to the control of access to systems and assets remapped in PCI DSS v3 01.v PCI Data Where there is an authorized business need to allow the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media for personnel accessing cardholder data via remote-access technologies, the organization s usage policies shall require the data be protected in accordance with all applicable PCI DSS requirements. PCI DSS v Requirement specific to cardholder data / PCI DSS 21 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

22 All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows: 01.v PCI Data i. all user access to, user queries of, and user actions on databases are through programmatic methods. only database administrators have the ability to directly access or query databases. ii. PCI DSS v3 8.7 Requirements specific to cardholder data 01.v 1 01.v 1 01.v 1 01.v 2 Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes). PR.AC-4 PR.DS-5 PR.PT-3 ISO/IEC A Directly related to information access restriction Information access restriction directly supports DLP Directly related to the control of access to systems and assets 22 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

23 Updated: 01.v 3 For individuals accessing covered sensitive information (e.g., covered information, cardholder data) from a remote location, prohibit the copy, move, print (and print screen) and storage of cardholder data this information onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. PCI DSS v Updated language to correct discrepancy between covered information and cardholder data and make the requirement more generic 01.v 3 The organization shall restrict the use of database management utilities to only authorized database administrators. Users shall be prevented from accessing database data files at the logical data view, field, or field-value levels. Column-level access controls shall be implemented to restrict database access. PCI DSS v3 8.7 Requirement was moved from 01.c, Privilege Management, as it is most closely related to 01.v, Information Access Restriction. Language more specific to cardholder data added in the PCI segment 01.w 2 01.x 1 01.x 1 PR.AC-5 ISO/IEC A PR.DS-1 Sensitive system isolation directly related to network segregation Encryption requirements supports protection of data at rest 23 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

24 01.x 1 01.y 1 01.y 1 01.y 1 01.y 1 01.y 3 02.a 1 02.a 1 02.a 1 02.a 1 PR.IP-1 PR.AC-3 PR.DS-2 PR.DS-3 PR.IP-1 ISO/IEC A ISO/IEC A DE.DP-1 ID.AM-6 ID.GV-3 Provides baseline configuration requirements for mobile devices Remote access requirements Encryption requirements supports protection of data in motion/transit Requires return of equipment Sets baseline configuration requirements for teleworking equipment General language regarding security roles and responsibilities, which would include identification, protection, detection, response and recovery Specifically addresses roles & responsibilities Roles & responsibilities include compliance (legal, regulatory) language 24 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

25 02.a 1 02.a 1 02.b 1 02.b 1 02.b 1 02.c 1 02.c 1 02.c 1 02.c 1 PR.IP-11 PCI DSS v ISO/IEC A PR.DS-5 PR.IP-11 ID.AM-6 ID.GV-3 PR.DS-5 PR.IP-11 Requires establishment of security roles and responsibilities; HR-related Requirement for security policies and procedures to clearly define information security responsibilities for all personnel is addressed by 02.a, Roles & Responsibilities (prior to employment) Trustworthy personnel help prevent data leakage Specifically addresses screening requirements Terms & conditions of employment address requirement to ensure workforce members understands their roles & responsibilities Terms address legal requirements for data protection Terms address confidentiality requirements Terms and conditions of employment include screening requirements 25 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

26 02.c 2 02.d 1 02.d 1 02.d 1 02.d 1 02.d 1 02.d 1 02.d 1 02.d 1 02.d 1 ISO/IEC A ISO/IEC A DE.CM-6 DE.DP-1 ID.AM-6 PR.AT-1 PR.AT-2 PR.AT-3 PR.AT-4 PR.AT-5 Contains requirement to implement processes to conduct monitoring activities General language regarding roles & responsibilities; specific language related to monitoring (detect) Specifies management responsibility to ensure workforce members understands their roles & responsibilities Requires all users to be informed of their roles & responsibilities Requires all users to be informed of their roles & responsibilities Requires third party users (e.g., contractors) to be informed of their roles & responsibilities Requires all users to be informed of their roles & responsibilities Requires all users to be informed of their roles & responsibilities 26 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

27 02.d 1 PR.IP-11 Specifically addresses security in HR issues, such as a workforce development program 02.d 2 These usage policies shall address the following if applicable: i. explicit management approval (authorization) to use the technology; Updated: PCI DSS v Requirement was confounded with another statement; which was also corrected 02.d 2 These usage policies shall address the following if applicable: ii. explicit management approval (authorization) to use the technology; iii. authorization authentication for use of the technology; iv. acceptable uses of the technologies (see 07.c); PCI DSS v Requirement was confounded with another statement; which was also corrected 02.e PCI Data The organization shall ensure the importance of cardholder data security is included in a formal security awareness program for all personnel. PCI DSS v Awareness requirement for cardholder data is specific to PCI 27 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

28 02.e PCI Data 02.e 1 02.e 1 02.e 1 02.e 1 02.e 1 02.e 1 The organization shall periodically inspect payment card device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device). PCI DSS v ISO/IEC A ID.GV-3 PR.AT-1 PR.AT-2 PR.AT-4 PR.AT-5 Requirement is PCI-specific Education addresses legal requirements for data protection Requires all users to be educated on their roles & responsibilities Requires all users to be educated on their roles & responsibilities Requires all users to be educated on their roles & responsibilities Requires all users to be educated on their roles & responsibilities 28 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

29 02.e 2 The organization s security personnel shall receive specialized security education and training appropriate to their role/responsibilities. Train developers in secure coding techniques, including how to avoid common coding vulnerabilities. Ensure developers understand how sensitive data is handled in memory. PCI DSS v3 6.5 New training requirement added to 6.5 in PCI DSS v3 02.e 2 02.e 2 02.f 1 02.f 1 02.g 1 When an employee or other workforce member moves to a new position of trust,... PCI DSS v3 9.9 Supports mapping of PCI DSS v PCI DSS v ISO/IEC A PR.IP-11 HIPAA (a)(3)(ii)(C) Requirement to provide training on payment card device tampering and substitution is consistent with equipment education, training and awareness in 08.e; content is PCIspecific and added to the PCI segment Sanctioning workforce members for security violations is included in HR practices Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members 29 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

30 02.g 1 PR.IP-11 Access termination is included in HR practices 02.g 2 02.g 2 02.h 1 02.h 1 The organization shall have a documented termination process for all employees and other workforce members. The organization provides appropriate personnel with access to official records created by a terminated employee or when the arrangement of a workforce member ends. The organization shall define any valid duties after termination employment or when the arrangement of a workforce member ends and shall be included in the employee's or workforce member s contract or other arrangement. The communication and the terms and conditions of employment or other workforce arrangement continuing for a defined period after the end of the employee's, contractor's or third party user's employment or other workforce arrangement. HIPAA (a)(3)(ii)(C) ISO/IEC A ISO/IEC A PR.IP-11 Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members Return of assets is part of termination, which is included in HR practices 30 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

31 02.i 1 Upon termination at least within 24 hours. Changes of employment or other workforce arrangement (e.g. transfers) shall be reflected in removal of all access rights that were not approved for the new employment or workforce arrangement. Access changes that identifies them as a current member of the organization. If a departing employee, contractor, third party user or other workforce member has known passwords for accounts remaining active, these shall be changed upon termination or change of employment, contract, agreement, or other workforce arrangement. Access rights to information assets and facilities shall be reduced or removed before the employment or other workforce arrangement terminates or changes, depending on the evaluation of risk factors including: i. whether the termination or change is initiated by the employee, contractor, third party user, other workforce member, or by management and the reason of termination; ii. the current responsibilities of the employee, contractor, workforce member or any other user; and HIPAA (a)(3)(ii)(C) Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members 02.i 1 ISO/IEC A This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

32 02.i 1 02.i 1 02.i 1 02.i 1 02.i 1 03.a 1 03.a 1 03.a 1 Updated: Updated: PR.AC-1 PR.AC-4 PR.IP-11 PCI DSS v v PCI DSS v PCI DSS v ID.BE-3 ID.GV-4 ID.RM-1 Password (credential) changes due to termination supports credential management requirements Access changes due to personnel transfer supports requirement to manage access permissions, including least privilege and separation of duties Removal of logical access rights is part of the HR termination process remapped in PCI DSS v3 remapped in PCI DSS v3 Requirement to prioritize organizational mission, objectives and activities is part of risk strategy development Directly supports cybersecurity risk management Addressed by organizational strategy requirements 32 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

33 03.a 1 Elements of the risk management program shall include: management s clearly stated level of acceptable risk; 3. ID.RM-2 Clarified risk tolerance requirement 03.a 1 Elements of the risk management program shall include: management s clearly stated level of acceptable risk, informed by its role in the critical infrastructure and healthcarespecific risk analysis; 3. ID.RM-3 Added requirement to consider role and healthcare-specific risk analysis in the determination of risk tolerance 03.a 1 RS-MI-3 Mitigation or acceptance of risk associated with vulnerabilities are both addressed at a program level 03.b PCI Data Formal risk assessments shall be performed at least annually and upon significant changes to the environment. The assessments shall identify critical assets, threats and vulnerabilities. PCI DSS v PCI requirements exceed the requirements specified in level 2 33 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

34 Removed: 03.b 1 Subject to PCI Compliance, Subject to State of Massachusetts Data Protection Act Administrative change PCI requirements are more consistent with the requirements in 03.b, level 2 03.b 1 1 Regulatory Factor They may be quantitative, semi- or quasiquantitative, or qualitative but shall be consistent and comparable Administrative change Intended to specifically include the most common approach to risk assessment 34 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

35 03.b 1 Risk assessments (analysis) used to determine whether a breach of unsecured protected health information (PHI) as a breach is defined by the Secretary of Health and Human Services is reportable to the Secretary must demonstrate there is a low probability of compromise (lo pro co) rather than a significant risk of harm. The methodology shall, at a minimum, address the following factors: i. the nature of the PHI involved, including the types of identifiers involved and the likelihood of re-identification; ii. the unauthorized person who used the PHI or to whom the disclosure was made; iii. whether the PHI was actually acquired or viewed; iv. the extent to which the risk to the PHI has been mitigated; and v. any other factors/guidance promulgated by the Secretary. HIPAA Specifically addresses the new requirements for breach risk analysis under the HIPAA Omnibus Rule 03.b 1 03.b 1 HIPAA cross reference ISO/IEC ISO/IEC A ISO/IEC A ID.RA-1 Asset vulnerabilities must be identified in order to address new vulnerabilities as required in the control language 35 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

36 03.b 1 03.b 1 Removed: ID.RA-3 PCI DSS v External environment is addressed in level 2 but the initial requirement in level 1 is general enough to map this control (e.g., new attack sources) PCI risk analysis requirements are more stringent than what s required in 03.b, level 1. Requirements are consistent with level 2, with the exception of the requirement for annual assessment as opposed to one every two years. 03.b 2 Subject to PCI Compliance, Subject to FISMA Compliance, Subject to Administrative change PCI requirements are more consistent with the requirements in 03.b, level 2 03.b 2 03.b 2 03.b 2 03.b 2 2 Regulatory Factor DE.AE-4 ID.RA-4 ID.RA-5 PCI DSS v Potential impact of a vulnerability should it be successfully exploited is determined as part of the risk analysis Although risk is addressed in level 1, requirement to specifically identify impact and likelihood isn t addressed until level 2 Although risk is addressed in level 1, requirement to specifically identify impact and likelihood isn t addressed until level 2 PCI DSS v was remapped to Requirements are consistent with level 2, with the exception of the requirement for annual assessment as opposed to one every two years. 36 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

37 03.c 1 The organization implements and the associated organizational information systems are prioritized and maintained; and document the remedial information and other organizations are documented. ID.RA-6 Language specifically addresses organization-wide priorities for risk response plans but earlier language updated for clarity 03.c 1 03.c 1 03.c 1 03.c 2 03.d 1 03.d 1 03.d 2 PR.IP-12 PR.IP-7 RS.MI-3 ISO/IEC A ISO/IEC A ISO/IEC A ID.GV-4 PR.IP-7 ID.RA-1 Mitigation of risk associated with vulnerabilities is part the risk management process Primary purpose of remediation is to ensure protections are improved as part of the risk management lifecycle Language specifically addresses risk responses and prioritization Ensures risk management processes are continuously updated to reflect changes in the environment Language specifically addresses updating of the risk management program to reflect changes in the environment (continuous improvement) New assets must be identified to reflect changes in risk 37 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

38 03.d 2 03.d 2 03.d 2 ID.RA-3 ID.RA-4 ID.RA-5 General language on changes in the environment (e.g., new attack sources) Addresses changes in the organization that affect risk Requires the program to be updated to reflect changes in risk, which includes threats, vulnerabilities, likelihoods and impacts per 03.b and 03.c The organization shall ensure policies are documented, communicated (known to all parties) and in use for the following: 04.a PCI Data i. managing firewalls, ii. managing vendor defaults and other security parameters, iii. protecting stored cardholder data, iv. encrypting transmissions of cardholder data, v. protecting systems against malware, vi. developing and maintaining secure systems and applications, vii. restricting access to cardholder data, viii. identification and authentication, ix. restricting physical access to cardholder data, x. monitoring access to network resources and cardholder data, and xi. security monitoring and testing. PCI DSS v3 1.5 PCI DSS v3 2.5 PCI DSS v3 3.7 PCI DSS v3 4.3 PCI DSS v3 5.4 PCI DSS v3 6.7 PCI DSS v3 7.3 PCI DSS v3 8.8 PCI DSS v PCI DSS v PCI DSS v Requirement to provide documented policies is addressed by 04.a, level 1; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed in support of a PCI audit or assessment 38 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

39 04.a 1 04.a 1 04.a 1 04.a 1 04.a 1 04.a 1 04.a 1 04.a 1 Removed: Subject to PCI Compliance, Subject to HITECH Breach Notification Requirements, Subject to 1 Regulatory Factor CMS cross reference NIST cross reference Removed: Administrative change CMSRs 2012v1.5 PL-1 (HIGH) ISO/IEC A ID.GV-1 ID.GV-3 ID.GV-4 NIST SP r4 PL-1 PCI DSS v HITECH breach notification requirements incorporated into the HIPAA Administrative Simplification at Subpart D Requirement to establish an information security policy is addressed by 04.a Specifically addresses general information security policy requirement Addresses legislative, regulatory and other requirements in information security policy Requires information security policy to address risk assessment and management Requirement to establish an information security policy is addressed by 04.a Policy review requirement is addressed by 04.b 39 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

40 04.a 1 04.a 1 Removed: PCI DSS v PCI DSS v3 1.5 PCI DSS v3 2.5 PCI DSS v3 3.7 PCI DSS v3 4.3 PCI DSS v3 5.4 PCI DSS v3 6.7 PCI DSS v3 7.3 PCI DSS v3 8.8 PCI DSS v PCI DSS v PCI DSS v a addresses general policy requirements but does not address specific policy for service providers; requirement is addressed by 05.k, Addressing Security in Third Party Agreements, for which is already mapped Requirement to provide operational procedures is addressed by 05.a, level 3; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed 04.a 1 04.b 1 An information security policy shall be developed, published, disseminated and implemented. The information security policy document shall state management's commitment Removed: An information security policy shall be developed and implemented to provide the framework for setting management objectives for all aspects of security. PCI DSS v Policy requirement maps to 04.a Administrative change Policy requirement maps to 04.a 40 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

41 04.b 1 04.b 1 04.b 1 04.b 1 04.b 1 04.b 1 04.b 2 05.a 1 05.a 1 05.a 1 Removed: CMS cross reference CMS cross reference Removed: Updated: Removed: HIPAA cross reference Removed: HIPAA cross reference Removed: HIPAA cross reference CMSRs 2012v1.5 SA-1 (HIGH) CMSRs 2012v1.5 SA-1 (HIGH) ISO/IEC A ID.GV-1 ID.GV-3 PCI DSS v PCI DSS v PCI DSS v HIPAA (a)(3)(ii)(A) HIPAA (a)(3)(ii)(B) HIPAA (a)(3)(ii)(C) Requirement for annual reviews is in level 2 vs. level 1 Requirement for annual reviews is in level 2 vs. level 1 Related to the cyber requirement for general information security policy as the CSF control addresses policy review Requires policy updates when legislative, regulatory and other requirements change Requirement is focused on policy remapped in PCI DSS v3 Verified no relevant content remains Verified no relevant content remains Verified no relevant content remains 41 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

42 05.a 2 i. ensure that goals are identified and considered, and address organizational and healthcare-specific requirements, and.. ID.BE-2 Addresses requirement for organizations to consider their place in critical infrastructure 05.a 2 05.b 1 05.b 2 05.b 2 05.b 2 05.c 1 Removed: Removed: ID.BE-3 ID.GV-2 RS.CO-2 PCI DSS v PCI DSS v ISO/IEC A Specifically related to management requirements around information security strategy Consistent with control specification Addresses evaluation of information received from monitoring and reviewing of security incidents 05.b addresses security coordination but does not require formally assigning responsibilities for monitoring, analyzing and distributing security alerts; this will be addressed by 05.c 05.b addresses security coordination but does not require formally assigning responsibilities for distributing security incident response and escalation procedures; this will be addressed by 05.c 42 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

43 05.c 1 Information security roles & responsibilities shall be coordinated and aligned with internal roles and external partners. ID.GV-2 specifically addresses allocation of responsibilities; Framework language added for clarification 05.c 1 The organization shall formally assign the following specific information security responsibilities to an individual or team: i. establishment, documentation and distribution of security policies and procedures; ii. monitoring and analyzing security alerts and information, and distributing security alerts, information and analysis to appropriate personnel; iii. establishment, documentation and distribution of security incident response and escalation procedures to ensure timely and effective handling of all situations; iv. administering user accounts, including additions, deletions and modifications; and v. monitoring and controlling all access to data. PCI DSS v PCI DSS v PCI DSS v PCI DSS v Formal assignment of specific information security responsibilities is best addressed by 05.c, Allocation of Information Security Responsibilities s 43 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

44 05.d 1 05.e 1 05.e 1 05.f 1 05.f 2 05.f 2 05.f 2 05.g 1 05.g 1 ID.BE-1 ISO/IEC A PR.DS-5 DE.DP-4 ISO/IEC A RS.CO-2 RS.CO-3 ID.RA-2 RS.CO-5 Specifically addresses supply chain requirements for new information assets Confidentiality agreements support DLP Specifically addresses contact with authorities Requires procedures for reporting Requires sharing consistent with response plans, which is supported by testing Requirement specific to contact with special interest groups: share and exchange information about threats, or vulnerabilities Requirement specific to contact with special interest groups: provide suitable liaison points when dealing with information security incidents (see 11.c) 44 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission

45 05.g 2 05.h 1 05.h 1 05.h 1 05.h 1 05.h 1 05.h 1 05.h 1 ISO/IEC A ISO/IEC A ID.GV-4 ID.RM-1 ID.RM-2 ID.RM-3 PR.IP-7 PR.IP-8 Periodic review of the information security program ensures governance and risk management processes continue to address information and cybersecurity risks Periodic review of the information security program helps ensure the program continues to address stipulated requirements Periodic review of the information security program helps ensure the program continues to address stipulated requirements Periodic review of the information security program helps ensure the program continues to address stipulated requirements Periodic review of the information security program ensures continuous improvement Sharing of information re: control effectiveness with appropriate stakeholders is part of the third-party information protection program review 45 This document is the PROPIETARY and CONFIDENTIAL Information It may not be used, disclosed or reproduced, in whole or in part, without the express written permission