PCI DSS and the CIS Controls
Aligning Security Frameworks with Tripwire
Benchmarks, Standards, Frameworks and Regulations: What’s the Difference?
The majority of IT security guidance to industry can be placed into one of these categories: benchmarks, standards, frameworks and regulations. Most address specific security issues and offer advice based on experience, collaborated information, authorities and activities (best practices) which have proven effective. They each offer in-depth guidance on how to apply security, how to build an effective security program and how to measure security investments.
The challenge is how to navigate the myriad source materials, identify the most salient and effective components of each document, and then use that information to build the most effective security program for the organization.
Tripwire offers this comparison of the Payment Card Industry Data Security Standards (PCI DSS) and the Center for Internet Security (CIS) Controls to help you and your organization understand the benefits and values of each, and to help you take advantage of them within your organization.
Analysis: PCI DSS and the CIS Controls
This analysis provides an overview and comparison of the PCI DSS—the secu- rity standard framework created for all merchants who accept credit cards, and the CIS Controls —a best practices document with prioritized cybersecurity procedures.
The business imperative that drives both of these frameworks is to reduce the risk to businesses from improperly designed and operated technology. They specifically address the challenge of how to instill security essentials, such as security practices of asset control, vulnerability assessment and security hardening. Regardless of being compelled (due to contractual and audit compliance with PCI) or advised through best practices (such as with the Controls), these essential tasks are frequently overlooked.
Both frameworks are also threat ori- ented, meaning they prescribe specific actions, controls and activities known to eliminate or reduce common threat vectors. However, without considering the associated risks and the overall relevance of these recommendations to your organization, these frameworks can create a false sense of security. Adopted controls should match potential threat, and risk and mitigation measures adjusted accordingly.
Proactive risk mitigation
The reason why a business should look at one or both of these frameworks is to reinforce the decision to address cybersecurity in a proactive manner. The documents outline common, if not necessarily consistent, programmatic elements. They use security “language” but do not assume the reader is a secu- rity expert. The advice or prescription is based on current and real world risks and the response measures that will mitigate them. While the response mea- sures prescribe specific outcomes, they are not product- or solution-specific. However, working from these docu- ments will give most readers some idea of the type of skills and resources they will need to address security within their specific environment.
What the Controls Do
The Controls (previously known as the CIS and SANS Top 20 Critical Security Controls) are now governed by the Center for Internet Security, a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.
The development of this set of standards was first undertaken in 2008 by the National Security Agency at the behest of the U.S. Secretary of Defense in an effort to efficiently direct resources toward combating the most common network vulnerabilities that resulted in the greatest number of attack vectors.
With its beginnings as an annual list of threats and vulnerabilities, the Controls are the result of a broad number of federal and commercial enterprise inputs and continues to evolve as a list of security best practices. The resulting list provides a list of practical security advice that applies to most IT opera- tions. The Controls provides a prioritized list of security practices as well as a practical approach to implementation.
It also offers tips for managing these controls on an ongoing basis.
While the Controls are not industry-spe- cific, they were developed and validated by the U.S. Federal government. Their application and efficacy in the govern- ment lends them “big organization” and “federal agency” credibility.
Comparing security frameworks leads to strategic insights to help organizations
- Adjust their security programs and better address overall cybersecurity
- Understand and communicate the value of security and regulatory compliance investments
- Relate cybersecurity to business objectives
|Vendor Security Guidance||✔|
|ISA/IEC-62443 (Formerly ISA-99)||✔|
|ISO 15408 / Common Criteria||✔|
|ISO 27001 and 27002||✔||✔|
Because the Controls offer a relatively short list of controls that have been pre-prioritized, it appeals to business managers and security practitioners alike. The framework provides guidance for those in the early stages of developing an information security program, and also offers guidance and advice for those with mature ones. The framework provides “quick wins” for organizations looking for easy, fast ways to reduce risk, as well as in depth guidance for each control.
- Quick wins that provide solid risk reduction without major procedural, architectural, or technical changes to an environment. They also provide substantial controls against the most common attack vectors, therefore most organizations prioritize the implementation of these controls.
- Visibility and attribution measures improve the process, architecture and technical capabilities of organizations to monitor their networks and computer systems making it possible to detect attack attempts, locate points of entry, identify already- compromised machines, interrupt infiltrated attackers’ activities and gain information about the sources of an attack.
- Improved information security configuration and hygiene reduces the number and magnitude of security vulnerabilities and improve the operations of networked computer systems. Secure configurations make systems more difficult to compromise and dramatically reduce security risks.
- Advanced sub-controls that require the use of new technologies are clearly identified. These controls may be harder or more expensive to deploy.
What the Controls Don’t Do
The CIS Controls document is a voluntary measure—there is no policing, audit or fines for not implementing the advice or implementing it incorrectly. The Controls are constantly being re-assessed and change based on the advice and feedback of an advisory schedule. These changes are expected to occur on a regular basis. Although the committee represents business, government and various industries, they may not cover specific business or industry needs and concerns.
The Controls are not intended to cover every risk. The objective of the framework is to identify the security controls that are most effective against the most common attack vectors. Your company and/or your industry may have specific, unique risks that are not adequately addressed by the Controls.
The Controls do not prescribe a method to verify and examine the risks that correlate to each control. Although the Controls include basic explanations, each organization needs to evaluate the security risks of their specific organization, determine if the control is appropriate and sufficient and then evaluate the decision to implement the control.
Finally, the CIS Controls are not an in-depth or process-oriented frame- work. It may require some technical effort to “fit” technical solutions into the specific systems at each organization.
What the PCI DSS Does
The Payment Card Industry Data Security Standard was created by an industry consortium with the goal of creating security standards for the payment card industry to guide credit card processors, merchants and banks to protect cardholder data and improve security of systems used to store, track and manage the credit card payment and authorization systems.
The PCI DSS is a widely adopted security standard and has become one of the most international security standards. Because PCI DSS is enforced by the industry consortium, and failing a third party audit entails serious business con- sequences and can also involve fines or other penalties, the standard is unique.
The PCI DSS is very straightforward: it is designed to identify and protect the systems that contain cardholder information as well as protect that data wherever it is transmitted, processed or stored. The standard ensures a min- imum level of information security for any organization that processes credit cards.
Because the PCI DSS was developed to address common security issues, other industries can use it for basic security guidance. Merchants and financial ser- vices organizations have also found that applying the standards to those systems not directly involved with processing cardholder data can dramatically reduce security risk. This has improved the IT security standing of many organizations.
- Benchmark: Designed for specific environments; Specific Prescriptive Controls
- Standards: Provides detailed technology implementation guidance from standards body
- Framework: Outlines Security Program Requirements and may include prescriptions, methods and
- Regulation: Typically an enforced guideline with prescribed repercussions (penalties)
The PCI DSS 3.2
|Control Objectives||PCI DSS Requirements|
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
What PCI DSS Doesn’t Do
Because the PCI framework is designed only to protect cardholder data, its con- trols are usually designed and described for these specific systems and devices that process that specific data. While the standard evolved to focus only on card- holder data as a way to limit the cost of compliance, an unintended consequence maybe that one area of the network is strongly protected but others are left open to attack.
The PCI DSS was not developed to address a specific risk associated with the loss of cardholder data and the resulting fraud. However, the threat vector can and does change rapidly. Organizations with large data sets may require greater protection that the standard requires. New, more advanced controls should be carefully considered and should calibrated to the level of risk. The challenge for all security standards is to strike an appropriate balance between compliance requirements and the cost of implementation. Every stan- dard is trying to achieve the greatest possible risk reduction for the lowest possible investment.
Similarities of the Controls and PCIThere are plenty of similarities between the two frameworks. Examining of the previous chart, one can see that—other than missing a control specifically for coverage of physical security—the Controls line up fairly consistently with the PCI DSS Requirement and Objectives areas. This is expected since the focus of both documents is fairly consistent: shoring up IT technology security solu- tions and practices across a network to protect assets, data or equipment.
Not overly complex
While some technologies are pre- scribed, both documents recognize that security is a process, not a single prod- uct or single skill set. This is important because it underscores a common misperception that security is only a product away (or, conversely, too com- plex) to understand. In reality, usually the best response to a specific threats is unique to each environment.
The CIS Controls are known set of best practices. As a non-profit organization, we are trying to balance what the government and private industry are doing. In rewriting our policies and procedures, we decided to build in the CIS Controls into our standards.
Center for the Protection of National Infrastructure, United Kingdom