Apr-14
HITRUST Common Security Framework Summary of Changes
CSF 2014 V6.1 Incorporates changes in PCI-DSS v3 and updates stemming from the HIPAA Omnibus Final Rule. Includes mappings to the NIST Cybersecurity Framework v1.
Fundamental to HITRUST’s mission is the availability of a Common Security Framework (CSF) that provides the needed structure, clarity, functionality and cross-references to authoritative sources. The initial development of the CSF leveraged nationally and internationally accepted standards including ISO, NIST, PCI, HIPAA, and COBIT to ensure a comprehensive set of baseline security controls. The CSF normalizes these security requirements and provides clarity and consistency, reducing the burden of compliance with these requirements that apply to healthcare organizations.
HITRUST ensures the CSF stays relevant and current to the needs of organizations by regularly updating the CSF to incorporate new standards and regulations as authoritative sources.
This interim 2014 CSF (v6.1) release includes changes based on feedback from the community and an updated set of cross-references and security requirements based on the 2013 release of the HIPAA Final Rule (Omnibus), PCI-DSS v3.0, and ISO/IEC 27001:2013 and 27002:2013, as well as the early 2014 release of the NIST Framework for Improving Critical Infrastructure Cybersecurity.
The table below provides a summary of the changes to the CSF broken down by Control Specification and Implementation Requirement Level.
Other Updates In conjunction with this CSF update, HITRUST has taken the opportunity to also make updates to its CSF Assurance Program.
1
Green text indicates an addition to the control/requirement. Red text indicates a deletion from the control/requirement.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
0.a 1 Added: ISO cross references
ISO/IEC 27001-2013 4.4 Updated mapping for 2013 ISO release
0.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-4
ISMS addresses all information security risks, including cybersecurity
0.a 2 Added: ISO cross references
ISO/IEC 27001-2013 4.3 ISO/IEC 27001-2013 5.1(a) ISO/IEC 27001-2013 5.2 ISO/IEC 27001-2013 5.3 ISO/IEC 27001-2013 6.1.1(d) ISO/IEC 27001-2013 6.1.1(e)(1) ISO/IEC 27001-2013 6.1.1(f) ISO/IEC 27001-2013 6.1.2 ISO/IEC 27001-2013 6.1.3 ISO/IEC 27001-2013 6.2(e) ISO/IEC 27001-2013 7.1 ISO/IEC 27001-2013 7.4 ISO/IEC 27001-2013 7.5.1(a) ISO/IEC 27001-2013 7.5.2 ISO/IEC 27001-2013 7.5.3 ISO/IEC 27001-2013 8.1 ISO/IEC 27001-2013 8.2 ISO/IEC 27001-2013 8.3 ISO/IEC 27001-2013 9.1 ISO/IEC 27001-2013 9.2 ISO/IEC 27001-2013 9.3(b) ISO/IEC 27001-2013 9.3(f) ISO/IEC 27001-2013 10.1(c) ISO/IEC 27001-2013 10.2
Updated mapping for 2013 ISO release
2 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
0.a 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-7 PDCA requirement
0.a 3 Added: ISO cross references
ISO/IEC 27001-2013 4.1 ISO/IEC 27001-2013 4.2(b) ISO/IEC 27001-2013 4.4 ISO/IEC 27001-2013 5.1(c) ISO/IEC 27001-2013 5.1(d) ISO/IEC 27001-2013 5.1(e) ISO/IEC 27001-2013 5.1(f) ISO/IEC 27001-2013 5.1(g) ISO/IEC 27001-2013 5.2 ISO/IEC 27001-2013 5.3 ISO/IEC 27001-2013 6.1.1 ISO/IEC 27001-2013 6.2 ISO/IEC 27001-2013 7.1 ISO/IEC 27001-2013 7.2 ISO/IEC 27001-2013 7.3(b) ISO/IEC 27001-2013 7.3(c) ISO/IEC 27001-2013 7.4 ISO/IEC 27001-2013 8.1 ISO/IEC 27001-2013 9.1 ISO/IEC 27001-2013 9.2 ISO/IEC 27001-2013 9.3 ISO/IEC 27001-2013 10.1(b) ISO/IEC 27001-2013 10.1(c) ISO/IEC 27001-2013 10.1(d) ISO/IEC 27001-2013 10.1(e) ISO/IEC 27001-2013 10.1(g)
Updated mapping for 2013 ISO release
01.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Consistent with relevant legislation policy language
3 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.a 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.1.1 Updated mapping for 2013 ISO release
01.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-3
Monitoring of guest/anonymous, shared/group, emergency and temporary accounts
01.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Registration/de-registration part of requirement to manage identities and credentials
01.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Consistent with need-to-know, need-to-share language
01.b 1 Removed: PCI cross reference
PCI DSS v2 12.5.4
01.b addresses user registration but does not require formally assigning the responsibilities for administering accounts to an individual or team; this will be addressed by 05.c
01.b 1 Removed: PCI cross reference
PCI DSS v2 8.1 Requirement not addressed in 01.b but is addressed in 01.q, which is already mapped.
01.b 1 Removed: PCI cross reference
PCI DSS v2 8.1 Requirement is addressed by 01.p
01.b 1 Removed: PCI cross reference
PCI DSS v2 8.2 Language is contained in level 3 vice level 1
01.b 1 Updated: PCI cross reference
PCI DSS v2 8.5.1 PCI DSS v3 8.1.2 Control remapped in PCI DSS v3
01.b 1 Updated: PCI cross reference
PCI DSS v2 8.5.1 v3 8.1.2 Control remapped in PCI DSS v3
4 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.b 1 Updated: PCI cross reference
PCI DSS v2 8.5.4 PCI DSS v3 8.1.3 Control remapped in PCI DSS v3
01.b 1 Updated: PCI cross reference
PCI DSS v2 8.5.4 v3 8.1.3 Control remapped in PCI DSS v3
01.b 1 Updated: PCI cross reference
PCI DSS v2 8.5.5 PCI DSS v3 8.1.4 Control remapped in PCI DSS v3
01.b 1 Removed: PCI cross reference
PCI DSS v2 8.5.7 Requirement is addressed in 01.f level 1
01.b 1 Updated: PCI cross reference
PCI DSS v2 8.5.7 PCI DSS v3 8.4 Control remapped in PCI DSS v3
01.b 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.2.1 ISO/IEC 27002-2013 A.9.2.2 Updated mapping for 2013 ISO release
01.b 3 Added: PCI cross reference
PCI DSS v2 8.2 Language is contained in level 3 vice level 1
01.b 3
Removed: Account creation, modification, disabling, and removal actions shall be automatically logged and audited providing notification, as required, to appropriate individuals.
PCI DSS v3 10.2.5 Identical language is contained in 09.aa, Level3, which is already mapped to 10.2.5
5 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.c PCI Data
Added: A service provider shall protect each organization’s hosted environment and data by:
i. ensuring that each organization only runs processes that only have access to that organization’s cardholder data environment , and
ii. restricting each organization’s access and privileges to only its own cardholder data environment.
PCI DSS v3 A.1.1 PCI DSS v3 A.1.2
Specific language for a service provider to restrict access and privileges of users and processes to an entity’s cardholder data environment is specific to PCI
01.c 1 Added: ISO cross references
ISO/IEC 27002-2013 A.9.2.3 Updated mapping for 2013 ISO release
01.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Access permissions consistent with privilege management
01.c 1 Updated: PCI cross reference
PCI DSS v2 7.1.3 PCI DSS v3 7.1.4 Control remapped in PCI DSS v3
01.c 1
Added: The allocation of privileges … Privileges shall be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy (e.g. i.e. the minimum requirement for their functional role, e.g., user or administrator, only when needed). PCI cross reference
PCI DSS v3 7.1.1 New content for 7.1.1 is addressed by existing CSF 01.c content in Level 1
6 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.c 1
Added: The allocation of privileges for all systems and system components shall be controlled through a formal authorization process.
PCI DSS v3 7.2.1 Modified language to specifically address the requirement
01.c 2
Added: None Subject to PCI Compliance Level 2 Regulatory Factor
Administrative change No PCI references remain in level 3 after PCI DSS v2 8.5.16 was moved to 01.v as PCI DSS v3 8.7
01.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Consistent with requirement to allow authorized users to determine whether access authorizations assigned to business partners are valid
01.c 2
Removed: Administrator or operator registration and de-registration shall be in accordance with the defined process and the sensitivity and risks associated with the system (see 01.b).
NIST SP 800-53 r4 AC-2
This particular requirement is duplicative of the same requirements in 01.b, for which AC-2 is already mapped; other AC-2 requirements remain valid for this control
01.c 2 Updated: PCI cross reference
PCI DSS v2 7.1.1 PCI DSS v3 7.1.2 Control remapped in PCI DSS v3
01.c 2 Updated: PCI cross reference
PCI DSS v2 7.1.2 PCI DSS v3 7.1.3 Control remapped in PCI DSS v3
01.c 2
Removed: Access controls are implemented via an automated access control system. PCI cross reference
PCI DSS v2 7.1.4
Requirement content is completely new and does not map to 01.c Level 2; requirement is not supported by any other cross-reference at level 2
7 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.c 2 Added: PCI cross reference
PCI DSS v3 A.1.1 Process privileges map to 01.c
01.c 2 Added: PCI cross reference
PCI DSS v3 A.1.2 Organizational (i.e., user) access and privileges maps to 01.c
01.c 3
Removed: Subject to PCI Compliance, Level 2 Regulatory Factor
Administrative change No PCI references remain in level 3 after PCI DSS v2 8.5.16 was moved to 01.v as PCI DSS v3 8.7
01.c 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-3
Consistent with requirement to audit execution of privileged functions on information systems
01.c 3
Removed: The organization shall restrict the use of database management utilities to only authorized database administrators. Users shall be prevented from accessing database data files at the logical data view, field, or field-value levels. Column-level access controls shall be implemented to restrict database access. PCI cross reference
PCI DSS v2 8.5.16
Requirement is more closely related to 01.v, Information Access Restriction, rather than 01.c, Privilege Management; content and PCI mapping moved; content not specific to remaining mappings for this level
01.d 1
Added: x. passwords shall be prohibited from being
reused for at least four (4) generations for users or six (6) generations for privileged users; and
Administrative change
Language updated to reflect NIST/CMS/PCI requirements and consistency with 01.f for password management
8 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Password management is part of credential management
01.d 1 Removed: PCI cross reference
PCI DSS v2 8.5.10 Control remapped in PCI DSS v3
01.d 1 Removed: PCI cross reference
PCI DSS v2 8.5.11 Control incorporated into v3 8.2.3 with v2 8.5.10
01.d 1 Removed: PCI cross reference
PCI DSS v2 8.5.11 Control incorporated into v3 8.2.3 with v2 8.5.10; control requirement addressed in 01.d
01.d 1 Removed: PCI cross reference
PCI DSS v2 8.5.8 Requirement not addressed by language in 01.d level 1; requirement is addressed by 01.q level 1
01.d 1 Updated: PCI cross reference
PCI DSS v2.0 8.5.12 PCI DSS v3 8.2.5 Control remapped in PCI DSS v3
01.d 1 Updated: PCI cross reference
PCI DSS v2.0 8.5.2 PCI DSS v3 8.2.2 Control remapped in PCI DSS v3
01.d 1 Updated: PCI cross reference
PCI DSS v2.0 8.5.9 PCI DSS v3 8.2.4 Control remapped in PCI DSS v3
01.d 1
Added: Alternatively, passwords/phrases must have a strength (entropy) at least equivalent to the parameters specified above. PCI cross reference
PCI DSS v3 8.2.3
PCI DSS v2 8.5.10 updated to 8.2.3 in v3; language added to reflect additional flexibility afforded by the updated PCI control
9 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.d 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.2.4 Updated mapping for 2013 ISO release
01.d 2 Updated: PCI cross reference
PCI DSS v2 8.4 PCI DSS v3 8.2.1 Control remapped in PCI DSS v3
01.d 2 Removed: PCI cross reference
PCI DSS v2 8.5.9 Requirement is addressed in 01.f Level 1
01.e 1
Added: The following procedures shall be carried out to ensure the regular review of access rights by management: i. user's access rights shall be reviewed after
any changes, such as promotion, demotion, or termination of employment, or other arrangement with a workforce member ends; and
ii. user’s access rights shall be reviewed and re-allocated when moving from one employment or workforce member arrangement to another within the same organization.
HIPAA §164.308(a)(3)(ii)(C)
Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members
01.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Recertification supports access permission management
01.e 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.2.5 Updated mapping for 2013 ISO release
10 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.f 1 Added: ISO cross references
ISO/IEC 27002-2013 A.9.3.1 Updated mapping for 2013 ISO release
01.f 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Consistent with credential management
01.f 1 Removed: PCI cross reference
PCI DSS v2 8.5.10 Control requirement addressed in 01.d
01.f 1 Removed: PCI cross reference
PCI DSS v2 8.5.13 Requirement is addressed by 01.p
01.f 1 Removed: PCI cross reference
PCI DSS v2 8.5.14 Requirement is addressed by 01.p
01.f 1 Updated: PCI cross reference
PCI DSS v2 8.5.7 PCI DSS v3 8.4 Control remapped in PCI DSS v3
01.f 1 Updated: PCI cross reference
PCI DSS v2.0 8.5.12 PCI DSS v3 8.2.5 Control remapped in PCI DSS v3
01.f 1 Updated: PCI cross reference
PCI DSS v2.0 8.5.12 PCI DSS v3 8.2.5 Control remapped in PCI DSS v3
01.f 1 Updated: PCI cross reference
PCI DSS v2.0 8.5.9 PCI DSS v3 8.2.4 Control remapped in PCI DSS v3
11 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.f 1
Added: Password management policies shall be developed, documented, and adopted and communicated to all users to address the need to:
PCI DSS v3 8.4 Modified to support updated lanagueage in PCI DSS v3
01.g 1 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.8 Updated mapping for 2013 ISO release
01.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-2
Physical access protections for unattended user equipment
01.h 1 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.9 Updated mapping for 2013 ISO release
01.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-2
Protections for removable media addressed by clean desk requirements
01.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-3
Networks and network services are information assets to which users are authorized access
01.i 1 Added: ISO cross references
ISO/IEC 27001-2013 A.9.1.2 Updated mapping for 2013 ISO release
01.i 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.1.2 Updated mapping for 2013 ISO release
01.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-4
Cataloguing is consistent with requirement for the identification of external information systems
12 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1
Baseline configuration requirement related to identification of necessary ports and services
01.j PCI Data
Added: The organization shall incorporate two-factor authentication for remote network access originating from outside the network by personnel (including users and administrators) and all third parties (including vendor access for support and maintenance).
PCI DSS v3 8.3 PCI requirement is more stringent than existing language in 01.j level 1
01.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-1
Addresses monitoring requirements for remote and wireless access
01.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Addresses credential and authentication requirements
01.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-3
Directly related to management of remote user access
01.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-4 Addresses access controls for networks
01.j 1 Updated: PCI cross reference
PCI DSS v2 8.5.6 PCI DSS v3 8.1.5 Control remapped in PCI DSS v3
13 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.j 1
Added: Remote access to business information across public networks shall only take place after successful identification and authentication. Remote access by vendors and business partners (e.g., maintenance, reports or other data access) Vendors accounts for remote maintenance shall be disabled unless specifically authorized by the management. If remote maintenance is performed, the organization shall closely monitor and control any activities, with immediate deactivation after use. Remote access to business partner accounts shall also be immediately deactivated after use.
PCI DSS v3 12.3.9 Updated the language to reflect the addition of business partners to the remote access restriction
01.k 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Addresses identification and authentication requirements for equipment
01.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-3
Addresses physical access to ports / network equipment
01.l 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1
Specifying allowable ports and services is part of baseline / configuration management
01.m 1 Added: PCI cross reference
PCI DSS v3 1.1 Supports sub-requirement PCI DSS v3 1.1.4, which are mapped to the control
01.m 1 Removed: PCI cross reference
PCI DSS v2 1.1.3 Requirement renumbered to 1.1.4 in PCI DSS v3
14 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.m 1 Added: PCI cross reference
PCI DSS v3 1.1.4 Requirement renumbered to 1.1.4 in PCI DSS v3
01.m 2 Added: ISO cross references
ISO/IEC 27002-2013 A.11.4.5 Updated mapping for 2013 ISO release
01.m 2
Added: A baseline of network operations and expected data flows for users and systems shall be established and managed. Separate domains shall then be implanted by controlling the network data flows … according to applicable flow control policies. NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-1
Added language from NIST framework for additional clarity.
01.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-3 Data flow requirement
01.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Restricting access via VLANs for user groups is related to the requirement to manage access permissions
01.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-5 Segregation requirement
01.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Segmentation is one mechanism used to help prevent data leakage
01.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-4
Requirements apply to all network segments, including those for communications and control
15 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.n 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-1
Deny all, permit by exception policy supports establishment of a baseline of network operations and expected data flows
01.n 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-3
Related to restriction of a user’s ability to connect to the internal network
01.n 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Specified network protections help prevent data leakage
01.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-1
Requirement to limit number of remote connections is specifically made to support comprehensive network monitoring
01.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-5
Provides requirements supporting network segregation
01.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-4
Requirements apply to all network segments, including those for communications and control
01.o 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-5
Requires segregation and protections between internal and external network
01.o 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Specified network protections help prevent data leakage
01.o 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-3
Requires routing controls to be based on positive source and destination address checking mechanisms
16 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.o 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-4
Specifies protection of internal directory services and IP addresses, which also supports protection of communications and control networks
01.p 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Secure log on procedures support identity and credential management requirements
01.p 1 Updated: PCI cross reference
PCI DSS v2 8.5.13 PCI DSS v3 8.1.6 Control remapped in PCI DSS v3
01.p 1 Updated: PCI cross reference
PCI DSS v2 8.5.14 PCI DSS v3 8.1.7 Control remapped in PCI DSS v3
01.p 3 Added: ISO cross references
ISO/IEC 27002-2013 A.9.4.2 Updated mapping for 2013 ISO release
01.q PCI Data
Added: The organization shall not use group, shared, or generic IDs, passwords, or other authentication methods as follows:
i. generic user IDs are disabled or removed. ii. shared user IDs do not exist for system
administration and other critical functions.
iii. shared and generic user IDs are not used to administer any system components.
PCI DSS v3 8.5 PCI requirements are more stringent than existing language in 01.q Level 1
17 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.q PCI Data
Added: Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase for each customer.)
PCI DSS v3 8.5.1 PCI requirement specific to service providers
01.q PCI Data
Added: Where other authentication mechanisms are used (e.g., physical or logical security tokens, smart cards, and certificates), use of these mechanisms shall be assigned as follows:
i. authentication mechanisms must be assigned to an individual account and not shared among multiple accounts.
ii. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access.
PCI DSS v3 8.6 PCI requirement related to unique credentials is more stringent; placed in PCI segment
01.q 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Specifically addresses user identification and authentication requirements, e.g., verifiable unique IDs
01.q 1 Updated: PCI cross reference
PCI DSS v2 8.1 PCI DSS v3 8.1.1 Control remapped in PCI DSS v3
18 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.q 1 Removed: PCI cross reference
PCI DSS v2 8.3
No relevant language in 01.q level 1 (language in level 2 addresses communications through an external network rather than originating from outside the network); requirement is addressed by 01.j level 1
01.q 1 Updated: PCI cross reference
PCI DSS v2 8.5.8 PCI DSS v3 8.5 Control remapped in PCI DSS v3
01.q 1 Added: PCI cross reference
PCI DSS v3 12.3.2
User authentication for use of information technology is explicitly addressed by 01.q, User identification and authentication
01.q 1 Added: PCI cross reference
PCI DSS v3 8.1 New content in 8.1 is addressed by existing content in 01.q Level 1
01.q 1
Added: Before allowing access to system components or data, tThe organization shall require verifiable unique ID's for all types of users …
PCI DSs v3 8.1.1 Modified existing content to more accurately reflect the requirement
01.q 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.2.1 Updated mapping for 2013 ISO release
01.q 2 Removed: PCI cross reference
PCI DSS v2 3.2
Requirement for authentication is related to authentication of the payment card rather than the user; content in 3.2, 3.2.1, 3.2.2 and 3.2.3 is better addressed in 09.q, Information handling procedures
19 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.q 2
Added: During the registration process to provide new or replacement hardware tokens, in-person verification shall be required PCI cross reference
PCI DSS v3 8.2.2 8.2.2 is addressed by in-person registration requirement for tokens; language added for clarity
01.q 2 Added: PCI cross reference
PCI DSS v3 8.5.1
New requirement related to unique credentials but specific to service providers; content placed in PCI segment
01.q 2 Added: PCI cross reference
PCI DSS v3 8.6 New requirement related to unique credentials is more stringent; content placed in PCI segment
01.r 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Specifically addresses password (credential) management
01.r 1 Removed: PCI cross reference
PCI DSS v2 8.5.8 Requirement not addressed by language in 01.r level 1; requirement is addressed by 01.q level 1
01.r 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.4.3 Updated mapping for 2013 ISO release
01.s 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Requires user identification, authentication, and authorization for access to system utilities
01.s 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Requires user identification, authentication, and authorization for access to system utilities
20 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.s 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Restricting access to system utilities helps prevents misconfiguration (intentional or not), which supports data leakage prevention
01.s 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-3
Directly related to the control of access to systems and assets
01.s 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.4.4 Updated mapping for 2013 ISO release
01.t 1 Added: ISO cross references
ISO/IEC 27002-2013 A.9.4.2 Updated mapping for 2013 ISO release
01.t 1 Updated: PCI cross reference
PCI DSS v2 8.5.15 PCI DSS v3 8.1.8 Control remapped in PCI DSS v3
01.u 1 Added: ISO cross references
ISO/IEC 27002-2013 A.9.4.2 Updated mapping for 2013 ISO release
01.v PCI Data
Added: Where there is an authorized business need to allow the copying, moving, and storage of cardholder data onto local hard drives and removable electronic media for personnel accessing cardholder data via remote-access technologies, the organization’s usage policies shall require the data be protected in accordance with all applicable PCI DSS requirements.
PCI DSS v3 12.3.10 Requirement specific to cardholder data / PCI DSS
21 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.v PCI Data
Added: All access to any database containing cardholder data (including access by applications, administrators, and all other users) is restricted as follows:
i. all user access to, user queries of, and user actions on databases are through programmatic methods.
ii. only database administrators have the ability to directly access or query databases.
Application IDs for database applications can only be used by the applications (and not by individual users or other non-application processes).
PCI DSS v3 8.7 Requirements specific to cardholder data
01.v 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Directly related to information access restriction
01.v 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Information access restriction directly supports DLP
01.v 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-3
Directly related to the control of access to systems and assets
01.v 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.4.1 Updated mapping for 2013 ISO release
22 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.v 3
Updated: For individuals accessing covered sensitive information (e.g., covered information, cardholder data) from a remote location, prohibit the copy, move, print (and print screen) and storage of cardholder data this information onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need.
PCI DSS v3 12.3.10
Updated language to correct discrepancy between covered information and cardholder data and make the requirement more generic
01.v 3
Added: The organization shall restrict the use of database management utilities to only authorized database administrators. Users shall be prevented from accessing database data files at the logical data view, field, or field-value levels. Column-level access controls shall be implemented to restrict database access. PCI cross reference
PCI DSS v3 8.7
Requirement was moved from 01.c, Privilege Management, as it is most closely related to 01.v, Information Access Restriction. Language more specific to cardholder data added in the PCI segment
01.w 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-5
Sensitive system isolation directly related to network segregation
01.x 1 Added: ISO cross references
ISO/IEC 27002-2013 A.6.2.1 Updated mapping for 2013 ISO release
01.x 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-1
Encryption requirements supports protection of data at rest
23 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
01.x 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1
Provides baseline configuration requirements for mobile devices
01.y 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-3 Remote access requirements
01.y 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2
Encryption requirements supports protection of data in motion/transit
01.y 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3 Requires return of equipment
01.y 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1
Sets baseline configuration requirements for teleworking equipment
01.y 3 Added: ISO cross references
ISO/IEC 27002-2013 A.6.2.2 Updated mapping for 2013 ISO release
02.a 1 Added: ISO cross references
ISO/IEC 27002-2013 A.6.1.1 Updated mapping for 2013 ISO release
02.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-1
General language regarding security roles and responsibilities, which would include identification, protection, detection, response and recovery
02.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Specifically addresses roles & responsibilities
02.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Roles & responsibilities include compliance (legal, regulatory) language
24 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
02.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Requires establishment of security roles and responsibilities; HR-related
02.a 1 Added: PCI cross reference
PCI DSS v3 12.4
Requirement for security policies and procedures to clearly define information security responsibilities for all personnel is addressed by 02.a, Roles & Responsibilities (prior to employment)
02.b 1 Added: ISO cross references
ISO/IEC 27002-2013 A.7.1.1 Updated mapping for 2013 ISO release
02.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Trustworthy personnel help prevent data leakage
02.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Specifically addresses screening requirements
02.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Terms & conditions of employment address requirement to ensure workforce members understands their roles & responsibilities
02.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Terms address legal requirements for data protection
02.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Terms address confidentiality requirements
02.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Terms and conditions of employment include screening requirements
25 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
02.c 2 Added: ISO cross references
ISO/IEC 27002-2013 A.7.1.2 Updated mapping for 2013 ISO release
02.d 1 Added: ISO cross references
ISO/IEC 27002-2013 A.7.2.1 Updated mapping for 2013 ISO release
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-6
Contains requirement to implement processes to conduct monitoring activities
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-1
General language regarding roles & responsibilities; specific language related to monitoring (detect)
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Specifies management responsibility to ensure workforce members understands their roles & responsibilities
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-1
Requires all users to be informed of their roles & responsibilities
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-2
Requires all users to be informed of their roles & responsibilities
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Requires third party users (e.g., contractors) to be informed of their roles & responsibilities
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-4
Requires all users to be informed of their roles & responsibilities
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-5
Requires all users to be informed of their roles & responsibilities
26 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
02.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Specifically addresses security in HR issues, such as a workforce development program
02.d 2
Added: These usage policies shall address the following if applicable: i. explicit management approval (authorization)
to use the technology; …
PCI DSS v3 12.3.1 Requirement was confounded with another statement; which was also corrected
02.d 2
Updated: These usage policies shall address the following if applicable: ii. explicit management approval (authorization)
to use the technology; iii. authorization authentication for use of the
technology; iv. acceptable uses of the technologies (see
07.c); …
PCI DSS v3 12.3.2 Requirement was confounded with another statement; which was also corrected
02.e PCI Data
Added: The organization shall ensure the importance of cardholder data security is included in a formal security awareness program for all personnel.
PCI DSS v3 12.6 Awareness requirement for cardholder data is specific to PCI
27 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
02.e PCI Data
Added: The organization shall periodically inspect payment card device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
PCI DSS v3 9.9.3 Requirement is PCI-specific
02.e 1 Added: ISO cross references
ISO/IEC 27002-2013 A.7.2.2 Updated mapping for 2013 ISO release
02.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Education addresses legal requirements for data protection
02.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-1
Requires all users to be educated on their roles & responsibilities
02.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-2
Requires all users to be educated on their roles & responsibilities
02.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-4
Requires all users to be educated on their roles & responsibilities
02.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-5
Requires all users to be educated on their roles & responsibilities
28 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
02.e 2
Added: The organization’s security personnel… shall receive specialized security education and training appropriate to their role/responsibilities. Train developers in secure coding techniques, including how to avoid common coding vulnerabilities. Ensure developers understand how sensitive data is handled in memory. PCI cross reference
PCI DSS v3 6.5 New training requirement added to 6.5 in PCI DSS v3
02.e 2 Added: PCI cross reference
PCI DSS v3 9.9 Supports mapping of PCI DSS v3 9.9.3
02.e 2 Added: PCI cross reference
PCI DSS v3 9.9.3
Requirement to provide training on payment card device tampering and substitution is consistent with equipment education, training and awareness in 08.e; content is PCI-specific and added to the PCI segment
02.f 1 Added: ISO cross references
ISO/IEC 27002-2013 A.7.2.3 Updated mapping for 2013 ISO release
02.f 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Sanctioning workforce members for security violations is included in HR practices
02.g 1
Added: When an employee or other workforce member moves to a new position of trust, ...
HIPAA §164.308(a)(3)(ii)(C)
Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members
29 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
02.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Access termination is included in HR practices
02.g 2
Added: The organization shall have a documented termination process for all employees and other workforce members. The organization … provides appropriate personnel with access to official records created by a terminated employee or when the arrangement of a workforce member ends. The organization shall define any valid duties after termination employment or when the arrangement of a workforce member ends and shall be included in the employee's or workforce member’s contract or other arrangement. The communication … and the terms and conditions of employment or other workforce arrangement continuing for a defined period after the end of the employee's, contractor's or third party user's employment or other workforce arrangement.
HIPAA §164.308(a)(3)(ii)(C)
Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members
02.g 2 Added: ISO cross references
ISO/IEC 27002-2013 A.7.3.1 Updated mapping for 2013 ISO release
02.h 1 Added: ISO cross references
ISO/IEC 27002-2013 A.8.1.4 Updated mapping for 2013 ISO release
02.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Return of assets is part of termination, which is included in HR practices
30 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
02.i 1
Added: Upon termination … at least within 24 hours. Changes of employment or other workforce arrangement (e.g. transfers) shall be reflected in removal of all access rights that were not approved for the new employment or workforce arrangement. Access changes … that identifies them as a current member of the organization. If a departing employee, contractor, third party user or other workforce member has known passwords for accounts remaining active, these shall be changed upon termination or change of employment, contract, agreement, or other workforce arrangement. Access rights to information assets and facilities shall be reduced or removed before the employment or other workforce arrangement terminates or changes, depending on the evaluation of risk factors including: i. whether the termination or change is
initiated by the employee, contractor, third party user, other workforce member, or by management and the reason of termination;
ii. the current responsibilities of the employee, contractor, workforce member or any other user; and …
HIPAA §164.308(a)(3)(ii)(C)
Omnibus Rule expanded requirement for termination procedures from employees to all types of workforce members
02.i 1 Added: ISO cross references
ISO/IEC 27002-2013 A.9.2.6 Updated mapping for 2013 ISO release
31 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
02.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Password (credential) changes due to termination supports credential management requirements
02.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Access changes due to personnel transfer supports requirement to manage access permissions, including least privilege and separation of duties
02.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Removal of logical access rights is part of the HR termination process
02.i 1 Updated: PCI cross reference
PCI DSS v2 8.5. v3 8.1.3 Control remapped in PCI DSS v3
02.i 1 Updated: PCI cross reference
PCI DSS v2 8.5.4 PCI DSS v3 8.1.3 Control remapped in PCI DSS v3
03.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-3
Requirement to prioritize organizational mission, objectives and activities is part of risk strategy development
03.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-4
Directly supports cybersecurity risk management
03.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RM-1
Addressed by organizational strategy requirements
32 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
03.a 1
Added: Elements of the risk management program shall include:
1. … 2. management’s clearly stated level of
acceptable risk; 3. …
NIST cyber cross-reference
NIST Cybersecurity Framework ID.RM-2 Clarified risk tolerance requirement
03.a 1
Added: Elements of the risk management program shall include:
1. … 2. management’s clearly stated level of
acceptable risk, informed by its role in the critical infrastructure and healthcare-specific risk analysis;
3. … NIST cyber cross-reference
NIST Cybersecurity Framework ID.RM-3
Added requirement to consider role and healthcare-specific risk analysis in the determination of risk tolerance
03.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS-MI-3
Mitigation or acceptance of risk associated with vulnerabilities are both addressed at a program level
03.b PCI Data
Added: Formal risk assessments shall be performed at least annually and upon significant changes to the environment. The assessments shall identify critical assets, threats and vulnerabilities.
PCI DSS v3 12.2 PCI requirements exceed the requirements specified in level 2
33 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
03.b 1
Removed: Subject to PCI Compliance, Subject to State of Massachusetts Data Protection Act Level 1 Regulatory Factor
Administrative change PCI requirements are more consistent with the requirements in 03.b, level 2
03.b 1
Added: They may be quantitative, semi- or quasi-quantitative, or qualitative but shall be consistent and comparable
Administrative change Intended to specifically include the most common approach to risk assessment
34 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
03.b 1
Added: Risk assessments (analysis) used to determine whether a breach of unsecured protected health information (PHI)—as a breach is defined by the Secretary of Health and Human Services—is reportable to the Secretary must demonstrate there is a low probability of compromise (lo pro co) rather than a significant risk of harm. The methodology shall, at a minimum, address the following factors:
i. the nature of the PHI involved, including the types of identifiers involved and the likelihood of re-identification;
ii. the unauthorized person who used the PHI or to whom the disclosure was made;
iii. whether the PHI was actually acquired or viewed;
iv. the extent to which the risk to the PHI has been mitigated; and
v. any other factors/guidance promulgated by the Secretary.
HIPAA cross reference
HIPAA §164.402 Specifically addresses the new requirements for breach risk analysis under the HIPAA Omnibus Rule
03.b 1 Added: ISO cross references
ISO/IEC 27002-2013 4.4 ISO/IEC 27002-2013 A.12.6.1 ISO/IEC 27002-2013 A.17.1.1
Updated mapping for 2013 ISO release
03.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-1
Asset vulnerabilities must be identified in order to address new vulnerabilities as required in the control language
35 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
03.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-3
External environment is addressed in level 2 but the initial requirement in level 1 is general enough to map this control (e.g., new attack sources)
03.b 1 Removed: PCI cross reference
PCI DSS v2 12.1.2
PCI risk analysis requirements are more stringent than what’s required in 03.b, level 1. Requirements are consistent with level 2, with the exception of the requirement for annual assessment as opposed to one every two years.
03.b 2
Added: Subject to PCI Compliance, Subject to FISMA Compliance, Subject to … Level 2 Regulatory Factor
Administrative change PCI requirements are more consistent with the requirements in 03.b, level 2
03.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-4
Potential impact of a vulnerability should it be successfully exploited is determined as part of the risk analysis
03.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-4
Although risk is addressed in level 1, requirement to specifically identify impact and likelihood isn’t addressed until level 2
03.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-5
Although risk is addressed in level 1, requirement to specifically identify impact and likelihood isn’t addressed until level 2
03.b 2 Added: PCI cross reference
PCI DSS v3 12.2
PCI DSS v2 12.1.2 was remapped to 12.2. Requirements are consistent with level 2, with the exception of the requirement for annual assessment as opposed to one every two years.
36 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
03.c 1
Added: The organization implements … and the associated organizational information systems are prioritized and maintained; and document the remedial information … and other organizations are documented. NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-6
Language specifically addresses organization-wide priorities for risk response plans but earlier language updated for clarity
03.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-12
Mitigation of risk associated with vulnerabilities is part the risk management process
03.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-7
Primary purpose of remediation is to ensure protections are improved as part of the risk management lifecycle
03.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.MI-3
Language specifically addresses risk responses and prioritization
03.c 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.6.1 ISO/IEC 27002-2013 A.12.7.1 ISO/IEC 27002-2013 A.17.1.1
Updated mapping for 2013 ISO release
03.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-4
Ensures risk management processes are continuously updated to reflect changes in the environment
03.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-7
Language specifically addresses updating of the risk management program to reflect changes in the environment (continuous improvement)
03.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-1
New assets must be identified to reflect changes in risk
37 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
03.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-3
General language on changes in the environment (e.g., new attack sources)
03.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-4
Addresses changes in the organization that affect risk
03.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-5
Requires the program to be updated to reflect changes in risk, which includes threats, vulnerabilities, likelihoods and impacts per 03.b and 03.c
04.a PCI Data
Added: The organization shall ensure policies are documented, communicated (known to all parties) and in use for the following:
i. managing firewalls, ii. managing vendor defaults and other
security parameters, iii. protecting stored cardholder data, iv. encrypting transmissions of cardholder
data, v. protecting systems against malware,
vi. developing and maintaining secure systems and applications,
vii. restricting access to cardholder data, viii. identification and authentication,
ix. restricting physical access to cardholder data,
x. monitoring access to network resources and cardholder data, and
xi. security monitoring and testing.
PCI DSS v3 1.5 PCI DSS v3 2.5 PCI DSS v3 3.7 PCI DSS v3 4.3 PCI DSS v3 5.4 PCI DSS v3 6.7 PCI DSS v3 7.3 PCI DSS v3 8.8 PCI DSS v3 9.10 PCI DSS v3 10.8 PCI DSS v3 11.6
Requirement to provide documented policies is addressed by 04.a, level 1; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed in support of a PCI audit or assessment
38 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
04.a 1
Removed: Subject to PCI Compliance, Subject to HITECH Breach Notification Requirements, Subject to … Level 1 Regulatory Factor
Administrative change
HITECH breach notification requirements incorporated into the HIPAA Administrative Simplification at Subpart D
04.a 1 Added: CMS cross reference
CMSRs 2012v1.5 PL-1 (HIGH) Requirement to establish an information security policy is addressed by 04.a
04.a 1 Added: ISO cross references
ISO/IEC 27002-2013 A.5.1.1 Updated mapping for 2013 ISO release
04.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-1
Specifically addresses general information security policy requirement
04.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Addresses legislative, regulatory and other requirements in information security policy
04.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-4
Requires information security policy to address risk assessment and management
04.a 1 Added: NIST cross reference
NIST SP800-53 r4 PL-1 Requirement to establish an information security policy is addressed by 04.a
04.a 1 Removed: PCI cross reference
PCI DSS v2 12.1.1 Policy review requirement is addressed by 04.b
39 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
04.a 1 Removed: PCI cross reference
PCI DSS v2 18.8.2
04.a addresses general policy requirements but does not address specific policy for service providers; requirement is addressed by 05.k, Addressing Security in Third Party Agreements, for which 12.8.2 is already mapped
04.a 1 Added: PCI cross reference
PCI DSS v3 1.5 PCI DSS v3 2.5 PCI DSS v3 3.7 PCI DSS v3 4.3 PCI DSS v3 5.4 PCI DSS v3 6.7 PCI DSS v3 7.3 PCI DSS v3 8.8 PCI DSS v3 9.10 PCI DSS v3 10.8 PCI DSS v3 11.6
Requirement to provide operational procedures is addressed by 05.a, level 3; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed
04.a 1
Added: An information security policy shall be developed, published, disseminated and implemented. The information security policy document shall state management's commitment …
PCI DSS v3 12.1 Policy requirement maps to 04.a
04.b 1
Removed: An information security policy shall be developed and implemented to provide the framework for setting management objectives for all aspects of security.
Administrative change Policy requirement maps to 04.a
40 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
04.b 1 Removed: CMS cross reference
CMSRs 2012v1.5 SA-1 (HIGH) Requirement for annual reviews is in level 2 vs. level 1
04.b 1 Added: CMS cross reference
CMSRs 2012v1.5 SA-1 (HIGH) Requirement for annual reviews is in level 2 vs. level 1
04.b 1 Added: ISO cross references
ISO/IEC 27002-2013 A.5.1.2 Updated mapping for 2013 ISO release
04.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-1
Related to the cyber requirement for general information security policy as the CSF control addresses policy review
04.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Requires policy updates when legislative, regulatory and other requirements change
04.b 1 Removed: PCI cross reference
PCI DSS v2 12.1 Requirement is focused on policy
04.b 2 Updated: PCI cross reference
PCI DSS v2 12.1.3 PCI DSS v3 12.1.1 Control remapped in PCI DSS v3
05.a 1 Removed: HIPAA cross reference
HIPAA §164.308(a)(3)(ii)(A) Verified no relevant content remains
05.a 1 Removed: HIPAA cross reference
HIPAA §164.308(a)(3)(ii)(B) Verified no relevant content remains
05.a 1 Removed: HIPAA cross reference
HIPAA §164.308(a)(3)(ii)(C) Verified no relevant content remains
41 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.a 2
Added: i. ensure that … goals are identified and
considered, and address organizational and healthcare-specific requirements, and ..
NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-2
Addresses requirement for organizations to consider their “place” in critical infrastructure
05.a 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-3
Specifically related to management requirements around information security strategy
05.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-2 Consistent with control specification
05.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-2
Addresses evaluation of information received from monitoring and reviewing of security incidents
05.b 2 Removed: PCI cross reference
PCI DSS v2 12.5.2
05.b addresses security coordination but does not require formally assigning responsibilities for monitoring, analyzing and distributing security alerts; this will be addressed by 05.c
05.b 2 Removed: PCI cross reference
PCI DSS v2 12.5.3
05.b addresses security coordination but does not require formally assigning responsibilities for distributing security incident response and escalation procedures; this will be addressed by 05.c
05.c 1 Added: ISO cross references
ISO/IEC 27002-2013 A.6.1.1 Updated mapping for 2013 ISO release
42 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.c 1
Added: Information security roles & responsibilities shall be coordinated and aligned with internal roles and external partners. NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-2
Control specifically addresses allocation of responsibilities; Framework language added for clarification
05.c 1
Added: The organization shall formally assign the following specific information security responsibilities to an individual or team:
i. establishment, documentation and distribution of security policies and procedures;
ii. monitoring and analyzing security alerts and information, and distributing security alerts, information and analysis to appropriate personnel;
iii. establishment, documentation and distribution of security incident response and escalation procedures to ensure timely and effective handling of all situations;
iv. administering user accounts, including additions, deletions and modifications; and
v. monitoring and controlling all access to data.
PCI cross references
PCI DSS v3 12.5.2 PCI DSS v3 12.5.3 PCI DSS v3 12.5.4 PCI DSS v3 12.5.5
Formal assignment of specific information security responsibilities is best addressed by 05.c, Allocation of Information Security Responsibilities
43 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-1
Specifically addresses supply chain requirements for new information assets
05.e 1 Added: ISO cross references
ISO/IEC 27002-2013 A.13.2.4 Updated mapping for 2013 ISO release
05.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Confidentiality agreements support DLP
05.f 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-4
Specifically addresses contact with authorities
05.f 2 Added: ISO cross references
ISO/IEC 27002-2013 A.6.1.3 Updated mapping for 2013 ISO release
05.f 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-2 Requires procedures for reporting
05.f 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-3
Requires sharing consistent with response plans, which is supported by testing
05.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-2
Requirement specific to contact with special interest groups: “share and exchange information about … threats, or vulnerabilities”
05.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-5
Requirement specific to contact with special interest groups: “provide suitable liaison points when dealing with information security incidents (see 11.c)”
44 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.g 2 Added: ISO cross references
ISO/IEC 27002-2013 A.6.1.4 Updated mapping for 2013 ISO release
05.h 1 Added: ISO cross references
ISO/IEC 27002-2013 A.18.2.1 Updated mapping for 2013 ISO release
05.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-4
Periodic review of the information security program ensures governance and risk management processes continue to address information and cybersecurity risks
05.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RM-1
Periodic review of the information security program helps ensure the program continues to address stipulated requirements
05.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RM-2
Periodic review of the information security program helps ensure the program continues to address stipulated requirements
05.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RM-3
Periodic review of the information security program helps ensure the program continues to address stipulated requirements
05.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-7
Periodic review of the information security program ensures continuous improvement
05.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-8
Sharing of information re: control effectiveness with appropriate stakeholders is part of the third-party information protection program review
45 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.i 1 Updated: HIPAA cross reference
HIPAA §164.308(b)(43)
Prior content in 164.308(b)(3) was deleted in the Omnibus Rule; 164.308(b)(4) was subsequently renumbered
05.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-1
Expected data flows must be understood in order to support control requirements for identification of risk and minimal access (note level 2 also requires monitoring of connections)
05.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-3
Requires the organization to identify information provided or otherwise accessible by 3rd parties in order to evaluate the risks they represent; supports mapping requirement in 09.m
05.i 1
Added: Due diligence, including an evaluation of the information security risks posed by external parties, shall be carried out to identify any requirements for specific controls where access to sensitive information (e.g., covered information, cardholder data) by external parties is required prior to establishing a formal relationship with the service provider.
PCI DSS v3 12.8.3
Language updated to better reflect the intent of the control, 05.i, Identification of Risks Related to External Third Parties, and PCI DSS v3 12.8.3, which requires a risk analysis prior to establishing a formal relationship
05.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-3 Addresses customer access
05.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Addresses customer role and responsibilities
46 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.k PCI Data
Added: The organization shall identify and document information about which PCI DSS requirements are managed by each service provider, and which are managed by the organization.
PCI DSS v3 12.8.5
New requirement in PCI DSS v3 requiring formal delineation of responsibility for PCI controls with a third party service provider
05.k 1
Removed: Subject to PCI Compliance, Subject to HITECH Breach Notification Requirements, Subject to … Level 1 Regulatory Factor
Administrative change
HITECH breach notification requirements incorporated into the HIPAA Administrative Simplification at Subpart D
05.k 1
Removed: xxi. intellectual property rights (IPRs) and
copyright assignment (see 6. b) and protection of any collaborative work (see 5.e);
xxii. involvement of the third party with subcontractors, and the security controls these subcontractors need to implement; and
xxiii. conditions for renegotiation/termination of agreements …
HIPAA §164.308(b)(1)
Omnibus Rule specified the Covered Entity is not required to obtain satisfactory assurances from a BA for its BAs/subcontractors
47 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.k 1
Added: x. arrangements for reporting, notification (e.g.,
how, when and by whom), and … stating: a. the third party... including:
a. the identification of each individual … disclosed during such breach;
b. all notifications shall be made without unreasonable delay and in no case later than 60 calendar days after the discovery of a breach if the BA is an agent of the covered entity, otherwise the timing of the notification should be explicitly addressed in the contract if the BA is not an agent of the covered entity; and …
HIPAA cross reference
HIPAA §164.410(b)
Clarified differences in reporting requirements for an agent of the CE as opposed to one who is not; addressing the timing of non-agent BA breaches in the contract eliminates ambiguity and may be considered a best practice
48 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.k 1
Added: xi. arrangements for reporting … stating:
a. the third party... including: b. the identification of each individual …
disclosed during such breach; b. all notifications … if the BA is not an
agent of the covered entity; and c. evidence shall be maintained … delay;
and d. any other information that may be needed in
the notification to individuals, either at the time notice of the breach is provided or promptly thereafter as information becomes available.
HIPAA cross reference
HIPAA §164.410(c)(2)
Added language addressing the requirement for additional information from the BA as it is discovered/developed
05.k 1
Added: The organization shall identify and mandate information security controls to specifically address supplier access to the organization’s information and information assets. The organization shall maintain written agreements (contracts)… ISO cross reference
ISO/IEC 27002:2013 A.15.1.1 Addresses information security in supplier relationships
49 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.k 1
Added: The organization shall maintain … the security of the organization’s information environment. Agreements shall include requirements to address the information security risks associated with information and communications technology services (e.g., cloud computing services) and product supply chain. The agreement shall ensure … the indemnity of the third party. ISO cross reference
ISO/IEC 27002:2013 A.15.1.3 Addresses information security in supplier relationships
05.k 1 Added: ISO cross references
ISO/IEC 27002-2013 A.15.1.1 ISO/IEC 27002-2013 A.15.1.2 ISO/IEC 27002-2013 A.15.1.3
Updated mapping for 2013 ISO release
05.k 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-6 Addresses monitoring requirement
05.k 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Addresses 3rd party requirements, including roles & responsibilities
05.k 1
Added: The organization shall establish personnel security requirements including security roles and responsibilities for third-party providers that are coordinated and aligned with internal security roles and responsibilities. NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-2
Addresses 3rd party requirements, including roles & responsibilities; language added for clarification
50 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
05.k 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Specifically addresses 3rd party requirements, including roles and responsibilities
05.k 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Addresses HR security-related requirements such as training and awareness
05.k 1
Added: The organization shall maintain written agreements (contracts) that includes an acknowledgement that the third party (e.g., a service providers) is responsible for the security of the data the third party possesses or otherwise stores, processes or transmits on behalf of the organization, or to the extent that they could impact the security of the organization’s information environment. The agreement shall ensure that there is no misunderstanding …
PCI DSS v3 12.8.2
Although elements supporting the requirement are addressed by language in 05.k level 1, specific language was added to ensure written agreements address the full intent of the requirement
05.k 1 Added: PCI cross reference
PCI DSS v3 12.8.5
New requirement in PCI DSS v3 requiring formal delineation of responsibility for PCI controls with a third party service provider
05.k 1 Added: PCI cross reference
PCI DSS v3 12.9 Wording is identical to 12.8.2 but intended for / directed at the service provider
06.a 1 Added: ISO cross references
ISO/IEC 27002-2013 A.18.1.1 Updated mapping for 2013 ISO release
51 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
06.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Specifically addresses compliance with legal and regulatory requirements
06.b 2 Added: ISO cross references
ISO/IEC 27002-2013 A.18.1.2 Updated mapping for 2013 ISO release
06.b 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-3 Requires automated auditing
06.c PCI Data
Added: The organization shall keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes that include at least the following for all cardholder data (CHD) storage:
i. Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements
ii. Processes for secure deletion of data when no longer needed
iii. Specific retention requirements for cardholder data
iv. A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.
PCI DSS v3 3.1 New content in 3.1 is PCI-specific
06.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Specifies retention IAW all regulatory and legislative requirements
52 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
06.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Addresses maintenance/retention of all records IAW all regulatory and legislative requirements
06.c 2 Added: ISO cross references
ISO/IEC 27002-2013 A.18.1.3 Updated mapping for 2013 ISO release
06.d PCI Data
Added: The organization shall render the PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
• One-way hashes based on strong cryptography, (hash must be of the entire PAN)
• Truncation (hashing cannot be used to replace the truncated segment of the PAN)
• Index tokens and pads (pads must be securely stored)
• Strong cryptography with associated key management processes and procedures.
PCI DSS v3 3.4 PCI only requirement; PCI control already mapped at level 2
53 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
06.d PCI Data
Added: If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example, by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.
PCI DSS v3 3.4.1 PCI only requirement; PCI control already mapped at level 2
06.d 1 Added: ISO cross references
ISO/IEC 27002-2013 A.18.1.4 Updated mapping for 2013 ISO release
06.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-2
Specifies monitoring (detection) to protect covered information
06.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Consistent with relevant legislation policy language
06.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Specifies retention IAW all regulatory and legislative requirements
06.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-3 Requires notice of monitoring
06.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Addresses HR security practices such as acceptable use agreements and rules of behavior
54 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
06.e 1 Removed: PCI cross reference
PCI DSS v2 12.5.5
11.a addresses misuse of assets but does not require formally assigning responsibilities for monitoring and controlling all access to data; this will be addressed in 05.c
06.e 1 Added: PCI cross reference
PCI DSS v3 12.3.1 Addresses requirement for management to approve access to information technologies
06.e 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.6.2 Updated mapping for 2013 ISO release
06.f 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Specifically addresses relevant legislation and regulations
06.f 2 Added: ISO cross references
ISO/IEC 27002-2013 A.18.1.5 Updated mapping for 2013 ISO release
06.f 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Addresses mechanisms for authentication to a cryptographic module
06.g 1 Added: ISO cross references
ISO/IEC 27002-2013 A.18.2.2 Updated mapping for 2013 ISO release
06.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-1
Specifies compliance reviews will be supported by system and information owners
06.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-4
Requires reports of non-compliance be documented and approved by management; additional requirements specified in level 2
55 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
06.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Specifically addresses relevant legislation and regulations (e.g., HIPAA)
06.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-6
Level 1 states corrective actions for non-compliance are identified and implemented, but level 2 specifies compliance reviews are part of a formal risk assessment process
06.g 2
Removed: Results of reviews and corrective actions carried out shall be recorded and these records shall be maintained. The security organization shall maintain records of the compliance results in order to better track security trends within the organization and to address longer term areas of concern. NIST cyber cross-reference
Administrative change Removed duplicate text
06.g 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Requires the use of automated compliance tools/scans when possible; specifies continuous monitoring of security controls wrt compliance
06.h 1 Added: ISO cross references
ISO/IEC 27002-2013 A.18.2.3 Updated mapping for 2013 ISO release
06.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-8
Technical compliance checks are supported by vulnerability scanning
06.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-1
Technical non-compliance results in a potential vulnerability
56 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
06.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-6
Similar requirements for analysis and corrective action planning as provided in 06.g
06.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-12
Technical compliance checks are part of a vulnerability management program
06.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.MI-3
Specifically addresses mitigation of technical non-compliance issues (vulnerabilities)
06.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-2
Audit supports continuous monitoring: specifies audits should not impact business operations; level 2 specifies additional requirements
06.i 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.7.1 Updated mapping for 2013 ISO release
06.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-1
Audit supports continuous monitoring: specifically addresses roles & responsibilities
06.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-4
Audit supports continuous monitoring: specifically addresses dissemination of the audit plan
06.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Audit supports continuous monitoring: specifies limited requirements for audit processing
06.j 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-1
Audit supports continuous monitoring: restricts use of audit tools to authorized individuals only
57 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
07.a PCI Data
Added: The inventory of system components and devices in scope for PCI DSS shall identify all personnel authorized to use the system components and devices.
PCI DSS v3 12.3.3
Inventory requirement is addressed in level 1 but identification of personnel with access is more stringent and not addressed anywhere else in 07.a; PCI-specific content placed in PCI segment
07.a PCI Data
Added: The organization shall maintain an inventory of system components that are in scope for PCI DSS.
PCI DSS v3 2.4 New content in 2.4 is PCI-specific
07.a PCI Data
Added: The organization shall maintain an inventory of system components that are in scope for PCI DSS. Lists of payment card devices shall be kept up-to-date and include the following:
i. Make, model of device ii. Location of device (for example, the
address of the site or facility where the device is located)
iii. Device serial number or other method of unique identification.
PCI DSS v3 9.9.1
Requirement is PCI-specific and not addressed in level 2, which is required for PCI compliance. Inventory documentation requirements are addressed in level 3 but requires much more detail than PCI requires
07.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-1 Specific to asset inventories
07.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-2 Specific to asset inventories
07.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-5
Requires asset inventories identify classification and business value
58 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
07.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3
Addresses asset management; formal lifecycle management is specified in level 3
07.a 1
Added: The organization shall maintain an inventory of authorized wireless access points including a documented business justification, to support unauthorized WAP identification (see 09.m) and response (see 11.c). PCI cross reference
PCI DSS v3 11.1.1 New requirement supporting PCI DSS v3 6.1
07.a 2 Added: ISO cross references
ISO/IEC 27002-2013 A.8.1.1 Updated mapping for 2013 ISO release
07.a 2 Updated: PCI cross reference
PCI DSS v2 9.9.1 PCI DSS v3 9.7.1 Control remapped in PCI DSS v3
07.a 2 Added: PCI cross reference
PCI DSS v3 2.4 Previous content in 2.4 was moved to 2.6 in PCI DSS v3; new content maps to CSF control 07.a but is PCI-specific
07.a 2
Added: The organization shall maintain inventory logs of all media and conduct media inventories at least annually.
PCI DSS v3 9.7.1 Requirement was mapped to 09.a level 2 as PCI DSS v2 9.9.1 but not specifically addressed; language added
07.a 2 Added: PCI cross reference
PCI DSS v3 9.9 Supports mapping of PCI DSS v3 9.9.1
59 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
07.a 2 Added: PCI cross reference
PCI DSS v3 9.9.1
Requirement to maintain an inventory of payment card devices is consistent with asset inventory requirements in 07.a; content is PCI-specific and added to the PCI segment
07.b 1
Added: All information systems shall be documented including an a method to accurately and readily determine the assigned owner of responsibility, contact information, and purpose (e.g., through labeling, coding, and/or inventory).
PCI DSS v3 12.3.4 Updated the language to accurately reflect the PCI requirement
07.b 2 Added: ISO cross references
ISO/IEC 27002-2013 A.8.1.2 Updated mapping for 2013 ISO release
07.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-5
Requires owners to specify asset classification and business value
07.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Specifies responsibilities of asset owners
07.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3
Addresses asset management responsibilities of asset owners
07.c 1
Removed: The organization shall include in the rules of behavior, explicit restrictions on the use of social media and networking sites, posting information on commercial websites, and sharing information system account information.
Administrative change Duplicate text in control level; artifact
60 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
07.c 1 Added: ISO cross references
ISO/IEC 27002-2013 A.8.1.3 Updated mapping for 2013 ISO release
07.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Acceptable use supports data leakage prevention
07.c 1 Removed: PCI cross reference
PCI DSS v2 12.3.1
Explicit approval is not addressed by 07.c, level 1; requirement is addressed by 02.d, level 2, which is already mapped to 12.3.1
07.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-5
Provides classification guidelines for information assets
07.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Classification guidelines support data leakage prevention
07.d 2 Added: ISO cross references
ISO/IEC 27002-2013 A.8.2.1 Updated mapping for 2013 ISO release
07.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-4
Classification requires understanding of business value and impact due to a loss of the asset
07.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-5 Specifically addresses risk
07.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Labeling and handling requirements support data leakage prevention
07.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-2
Addresses labeling and handling requirements for removable media
61 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
07.e 2 Added: ISO cross references
ISO/IEC 27002-2013 A.8.2.2 Updated mapping for 2013 ISO release
07.e 2 Updated: PCI cross reference
PCI DSS v2 9.7.1 PCI DSS v3 9.6.1 Control remapped in PCI DSS v3
08.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-2
Provides the use of alarms as an example of physical perimeter protection
08.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Provides the use of alarms as an example, which is meant to identify unauthorized intrusion
08.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-2
Specifically addresses physical (perimeter) access protection
08.a 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-2
Specifies compliance with regulatory requirements for fire doors
08.a 3 Added: ISO cross references
ISO/IEC 27002-2013 A.11.1.1 Updated mapping for 2013 ISO release
08.b PCI Data
Added: The organization shall ensure visitors are authorized before entering, and escorted at all times within, areas where cardholder data is processed or maintained.
PCI DSS v3 9.4.1 PCI requirement is more restrictive than existing language
08.b PCI Data
Added: Visitor logs shall include the name of the onsite personnel (workforce member) authorizing physical access.
PCI DSS v3 9.4.4 PCI DSS v3 9.4.4 is more restrictive as it requires the authorizing individual to be onsite.
62 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-2
Requires visitor escort (monitoring) and monitoring of third party service personnel
08.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Requires ability to clearly distinguish between workforce members and visitors, which supports identification (monitoring) of unauthorized personnel; physical intruder detection system requirements are specified in level 3
08.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-2
Specifically addresses physical entry controls
08.b 1 Updated: PCI cross reference
PCI DSS v2 9.3.1 PCI DSS v3 9.4.1 Control remapped in PCI DSS v3
08.b 1 Added: PCI cross reference
PCI DSS v3 9.4 Supports PCI DSS v3 9.4.1 in level 1; moved from level 2
08.b 1
Added All visitors shall be escorted and supervised (their activities monitored) unless their access has been previously approved. Access to areas where sensitive information (e.g., covered information, payment card data) is processed or stored shall be controlled and restricted to authorized persons only. All visitors shall be escorted and supervised (their activities monitored) unless their access has been previously approved.
PCI DSS v3 9.4.1 Re-ordered and additional language added for clarity. More restrictive PCI DSS requirement placed in PCI segment
63 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.b 2 Added: ISO cross references
ISO/IEC 27002-2013 A.11.1.2 Updated mapping for 2013 ISO release
08.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-3
Requires notification of security personnel in the event an unauthorized person is identified by a member of the workforce
08.b 2 Removed: PCI cross reference
PCI DSS v2 9.3 PCI reference (v2 9.3 / v3 9.4) moved to support PCI DSS v3 9.4.1 in level 1
08.b 2 Updated: PCI cross reference
PCI DSS v2 9.3.2 PCI DSS v3 9.4.2 Control remapped in PCI DSS v3
08.b 2 Updated: PCI cross reference
PCI DSS v2 9.3.3 PCI DSS v3 9.4.3 Control remapped in PCI DSS v3
08.b 2 Updated: PCI cross reference
PCI DSS v2 9.4 PCI DSS v3 9.4.4 Control remapped in PCI DSS v3
64 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.b 2
Added: Authentication controls … shall be securely maintained. The organization shall ensure onsite personnel and visitors can be easily distinguished. All employees, contractors and third party users and all visitors shall be required … to surrender the badge or device before leaving the facility or upon expiration. The organization shall ensure onsite personnel and visitor identification (e.g., badges) are revoked or terminated when expired or when access is no longer authorized. Identification should also be updated when access requirements change to ensure their status can be easily distinguished.
PCI DSS v3 9.2 Language updated to reflect additional requirements specified in PCI DSS v3
65 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.b 2
Added: Authentication controls (e.g. access control card plus PIN) shall be used to authorize and validate all access. Access must be authorized and based on individual job function. An audit trail of all access shall be securely maintained. The organization shall ensure onsite personnel and visitors can be easily distinguished. All employees, contractors and third party users and all visitors shall be required … when expired or when access is no longer authorized, and all physical access mechanisms, such as keys, access cards and combinations, are returned disabled or changed. Identification should also be updated when access requirements change to ensure their status can be easily distinguished. PCI cross reference
PCI DSS v3 9.3 Content for 9.3 is new for PCI DSS v3; content consistent with 08.b
08.b 3
Removed: Combinations and keys shall be changed … and when keys are lost, combinations are compromised, or individuals are transferred or terminated.
Administrative change Requirement addressed in level 2 with the addition of language supporting PCI DSS v3 9.3
08.b 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-2
Requires IDS installed IAW applicable standards
08.b 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-3 Requires testing of IDS
66 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.b 3
Added: The organization shall monitor and investigate notifications from real-time physical intrusion alarms and surveillance equipment. NIST cyber cross-reference
NIST Cybersecurity Framework RS.AN-1
Requires monitoring of real-time physical intrusion alarms and surveillance equipment; clarification on response added.
08.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-2
Requires consideration of relevant health and safety regulations when security facilities
08.c 2 Added: ISO cross references
ISO/IEC 27002-2013 A.11.1.3 Updated mapping for 2013 ISO release
08.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-2 Specifies video monitoring
08.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-3
Specifies monitoring of individual access to sensitive areas
08.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Specifies use of automated mechanisms to recognize potential intrusions
08.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-2
Addresses securing of facilities for asset protection
08.d 1 Added: ISO cross references
ISO/IEC 27002-2013 A.11.1.4 Updated mapping for 2013 ISO release
08.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-5
Addresses requirements for the physical operating environment
67 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.e 1 Added: ISO cross references
ISO/IEC 27002-2013 A.11.1.5 Updated mapping for 2013 ISO release
08.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-2
Addresses requirements for locking and checking vacant secure areas
08.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-2
Addresses requirements for locking and checking vacant secure areas
08.e 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-3
Requires coordination with incident response team
08.f 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3
Addresses management of assets in public access areas, such as delivery and loading
08.f 2 Added: ISO cross references
ISO/IEC 27002-2013 A.11.1.6 Updated mapping for 2013 ISO release
08.g PCI Data
Added: The organization shall periodically inspect payment card device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device).
PCI DSS v3 9.9.2 Requirement is PCI-specific
08.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-5
Addresses policy requirements for equipment protection
68 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.g 1 Added: PCI cross reference
PCI DSS v3 9.9 Supports mapping of PCI DSS v3 9.9.2
08.g 1 Added: PCI cross reference
PCI DSS v3 9.9.2
Requirement to protect devices from tampering and substitution is consistent with equipment siting and protection in 08.g; content is PCI-specific and added to the PCI segment
08.g 2 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.1 Updated mapping for 2013 ISO release
08.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-4
Dependency of critical systems on utilities (power, water) is addressed
08.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-5
Addresses policy requirements for equipment protection
08.h 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-2
Addresses physical access requirements for infrastructure assets
08.h 3 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.2 Updated mapping for 2013 ISO release
08.i 2
Added: The organization controls physical access to information system distribution and transmission lines within organizational facilities by disables disabling any physical ports (e.g., wiring closets, patch panels, etc.) not in use.
CMSRs 2012v1.5 PE-4
Provided clarification of the requirement to avoid confusion with standard network ports, which will be addressed by additional language from PCI DSS v3 9.1.1
69 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.i 2 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.3 Updated mapping for 2013 ISO release
08.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-2
Addresses physical access requirements for distribution and transmission lines
08.i 2
Added: The organization shall implement physical and/or logical controls to restrict access to publicly accessible network jacks.
PCI DSS v3 9.1.1
Original language specific to CMS IS ARS 2012v1.5 PE-4 did not address the requirement specified in PCI DSS v3 9.1.1
08.i 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Requires technical sweeps and physical inspections for unauthorized devices
08.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.MA-1
Specifically addresses security of maintenance activities
08.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.MA-2
Addresses remote maintenance requirements
08.j 2 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.4 Updated mapping for 2013 ISO release
08.j 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-1
Specifically addresses clearing of data prior to maintenance activities
08.k 1
Removed: Subject to PCI Compliance, Subject to FISMA Compliance Level 1 Regulatory Factor
Administrative change No remaining PCI cross references once PCI DSS v2 9.8 (PCI DSS v3 9.6.3) is removed
70 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
08.k 1 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.6 Updated mapping for 2013 ISO release
08.k 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3
Requires management of equipment taken outside the organization’s premises
08.k 1 Removed: PCI cross reference
PCI DSS v2 9.8
This control is specific to removing media from secured areas; no relevant content in 08.k level 1; specific language is addressed by 09.q level 2
08.l 1 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.7 Updated mapping for 2013 ISO release
08.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3
Addresses security requirements for asset reuse or disposal
08.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-6 Addresses secure disposal
08.l 1 Updated: PCI cross reference
PCI DSS v2 9.10.1 PCI DSS v3 9.8.1 Control remapped in PCI DSS v3
08.l 1 Updated: PCI cross reference
PCI DSS v2 9.10.2 PCI DSS v3 9.8.2 Control remapped in PCI DSS v3
08.m 1 Added: ISO cross references
ISO/IEC 27002-2013 A.11.2.5 Updated mapping for 2013 ISO release
08.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3
Addresses management of property taken off-site
71 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.a PCI Data
Added: The organization shall ensure operational procedures are documented, communicated (known to all parties) and in use for the following:
i. managing firewalls, ii. managing vendor defaults and other
security parameters, iii. protecting stored cardholder data, iv. encrypting transmissions of cardholder
data, v. protecting systems against malware,
vi. developing and maintaining secure systems and applications,
vii. restricting access to cardholder data, viii. identification and authentication,
ix. restricting physical access to cardholder data,
x. monitoring access to network resources and cardholder data, and
xi. security monitoring and testing.
PCI DSS v3 1.5 PCI DSS v3 2.5 PCI DSS v3 3.7 PCI DSS v3 4.3 PCI DSS v3 5.4 PCI DSS v3 6.7 PCI DSS v3 7.3 PCI DSS v3 8.8 PCI DSS v3 9.10 PCI DSS v3 10.8 PCI DSS v3 11.6
Requirement to provide operational procedures is addressed by 05.a but documented operations procedures are specifically addressed by 09.a; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed in support of a PCI audit or assessment
09.a 1 Added: ISO cross references
ISO/IEC 27002-2013 A.12.1.1 Updated mapping for 2013 ISO release
72 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.a 1 Added: PCI cross reference
PCI DSS v3 1.5 PCI DSS v3 2.5 PCI DSS v3 3.7 PCI DSS v3 4.3 PCI DSS v3 5.4 PCI DSS v3 6.7 PCI DSS v3 7.3 PCI DSS v3 8.8 PCI DSS v3 9.10 PCI DSS v3 10.8 PCI DSS v3 11.6
Requirement to provide operational procedures is addressed by 05.a but documented operations procedures are specifically addressed by 09.a; cross references placed in level 1 due to PCI regulatory factor but content placed in PCI segment to ensure specific requirements are addressed
09.aa PCI Data
Added: A service provider shall protect each organization’s hosted environment and data by ensuring logging and audit trails are enabled and unique to each organization’s (customer’s) cardholder data environment and consistent with PCI DSS v3 Requirement 10.
PCI DSS v3 A.1.3
Specific language addressing logs and audit trails unique to each organization’s cardholder data environment
09.aa 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-1 Specifically addresses auditing
09.aa 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-3 Specifically addresses auditing
09.aa 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1 Specifically addresses auditing
09.aa 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.4.1 Updated mapping for 2013 ISO release
73 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.aa 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Addresses alarms from access control systems, AV, IDS, etc.
09.aa 2 Removed: PCI cross reference
PCI DSS v2 10.2.3 Requirement is addressed by 09.d
09.aa 2 Removed: PCI cross reference
PCI DSS v3 10.2.5 Specific requirements in PCI DSS v3 10.2.5 is addressed in level 3 rather than level 2
09.aa 3 Removed: PCI cross reference
PCI DSS v2 10.2.7 Requirement is addressed in level 2; PCI control already mapped at level 2; duplicate mapping
09.aa 3 Added: PCI cross reference
PCI DSS v3 10.2.5 Specific requirements in PCI DSS v3 10.2.5 is addressed in level 3 rather than level 2
09.aa 3
Added: The following shall be logged:
i. … ii. the enabling, pausing or disabling of audit
report generation services; and
PCI DSS v3 10.2.6 Updated language to reflect PCI DSS v3
09.ab PCI Data
Added: The organization shall review, at least daily, the logs of all system components that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
PCI DSS v3 10.6.1 Requirement specific to PCI DSS v3
09.ab 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-2
Requires compliance with applicable legal requirements
74 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.ab 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Specifically addresses legal and regulatory requirements for monitoring
09.ab 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.4.1 Updated mapping for 2013 ISO release
09.ab 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-1
Auditing supports identification and remediation of vulnerabilities
09.ab 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-2
Addresses detecting attacks and analyzing logs and audit trails
09.ab 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-3
Addresses collection and integration of data from multiple sources; correlation is specifically addressed in level 3
09.ab 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-1 Specifically addresses monitoring
09.ab 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Address audit record documentation and review
09.ab 3
Removed: Systems shall support audit reduction and report generation, and the results of monitoring activities shall be reviewed regularly.
Administrative change
Language is duplicative of other content in 09.ab, level 2; possible artifact from when additional language was added to the statement
09.ab 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-4 Monitors for malicious code
09.ab 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Addresses monitoring of remote connections
75 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.ab 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.DP-4
Requires alert notifications from automated tools; requires alerting of personnel to unauthorized modification of critical system files, etc.
09.ab 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.AN-1
Requires appropriate actions be taken, e.g., when an unauthorized connection is discovered
09.ab 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-2 Addresses reporting
09.ab 3
Added: The results of monitoring activities shall be reviewed daily, through the use of automated tools, forthose:
i. all security events, ii. logs of all critical system components,
and iii. logs of all servers that perform security
functions like intrusion detection system (IDS), intrusion prevention …
PCI DSS v3 10.6.1 Updated language to reflect additional requirements in PCI DSS v3 10.6.1
76 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.ab 3
Added: The automated tools shall generate alert notification for technical staff review and assessment. The organization shall review logs of all other system components periodically based on its policies and risk management strategy, as determined by the organization’s annual risk assessment.
PCI DSS v3 10.6.2 New requirement in PCI DSS v3
09.ab 3
Added: Suspicious activity or suspected violations on the information system identified during the review process shall be investigated, with findings reported to appropriate officials and take appropriate action. PCI cross reference
PCI DSS v3 10.6.3 Existing language modified to better reflect requirement in PCI DSS v3 10.6.3
09.ab 3
Added: The organization shall deploy a change-detection mechanism (e.g., file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.
PCI DSS v3 11.5 Updated language to reflect changes in PCI DSS v3
77 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.ab 3
Added: The organization shall deploy a change-detection mechanism … or content files; and configures the software to perform critical file comparisons at least weekly, and responds to any alerts generated.
PCI DSS v3 11.5.1 Updated relevant language to reflect new requirement in PCI DSS v3
09.ac 1 Added: ISO cross references
ISO/IEC 27002-2013 A.12.4.1 ISO/IEC 27002-2013 A.12.4.3 Updated mapping for 2013 ISO release
09.ac 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Protection is part of audit log implementation
09.ac 3
Added: Write logs for external-facing technologies (wireless, firewalls, DNS, mail) onto a secure, centralized log server or media device on the internal LAN.
PCI DSS v3 10.5.4 Updated language to reflect clarification provided in PCI DSS v3 10.5.4
09.ac 3
Added: The organization shall … alerts (although new data being added should not cause an alert), and responds to any alerts generated.
PCI DSS v3 11.5.1 Updated relevant language to reflect new requirement in PCI DSS v3
09.ad 1 Added: ISO cross references
ISO/IEC 27002-2013 A.12.4.3 Updated mapping for 2013 ISO release
09.ad 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Addresses administrator and operator logs
78 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.ad 1 Removed: PCI cross reference
PCI DSS v2 A.1.3
09.ad only peripherally addresses the PCI DSS v3 A.1.3 requirement; specific language addressing logs and audit trails unique to each organization’s cardholder data environment will be addressed in the PCI segment for 09.aa, Audit Logging
09.ae 1 Added: ISO cross references
ISO/IEC 27002-2013 A.12.4.1 Updated mapping for 2013 ISO release
09.ae 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1 Addresses fault logging
09.af 1 Added: ISO cross references
ISO/IEC 27002-2013 A.12.4.4 Updated mapping for 2013 ISO release
09.af 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Clock synchronization is part of audit log implementation
09.af 1
Added: The organization shall synchronize all critical system clocks and times where Where a computer or communications device has the capability to operate a real-time clock,. This this clock shall be set …
PCI DSS v3 10.4 Language updated to better reflect the PCI DSS v3 requirement
79 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.af 1
Added: … This clock shall be set to an agreed standard received from industry-accepted time sources, either Coordinated Universal Time (UTC) or International Atomic Time. As some clocks are known to drift with time, there shall be a procedure that checks for and corrects any significant variation.
PCI DSS v3 10.4.3 Language from the PCI DSS v3 requirement added for clarification
09.b 2 Added: ISO cross references
ISO/IEC 27001-2013 8.1 ISO/IEC 27002-2013 A.12.1.2 Updated mapping for 2013 ISO release
09.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-3 Addresses change control processes
09.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Specifically addresses segregation of duties
09.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Segregation can be applied to support data leakage prevention
09.c 2 Added: ISO cross references
ISO/IEC 27002-2013 A.6.1.2 Updated mapping for 2013 ISO release
09.d 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.1.4 Updated mapping for 2013 ISO release
09.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-7
Specifically addresses separation of development, test and production environments; level 1 addresses minimization of testing but level 2 addresses actual separation
80 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.d 2
Added: The level of separation between operational, test, and development environments shall be identified and controls shall be implemented to prevent operational issues, including:
i. along with removing accounts, a review of all custom code preceding the release to production or to customers must be completed in order to identify any possible coding vulnerability, to include at least the following:
a. code changes are reviewed by individuals other than the originating code author, and by individuals knowledgeable about code-review techniques and secure coding practices;
b. code reviews ensure code is developed according to secure coding guidelines;
c. appropriate corrections are implemented prior to release; and
d. code-review results are reviewed and approved by management prior to release.
PCI DSS v3 6.3.2 Added new language in PCI DSS v3
09.e 1 Updated: HIPAA cross reference
HIPAA §164.308(b)(43)
Prior content in 164.308(b)(3) was deleted in the Omnibus Rule; 164.308(b)(4) was subsequently renumbered
81 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.e 2 Added: ISO cross references
ISO/IEC 27001-2013 8.1 Updated mapping for 2013 ISO release
09.e 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-6 Addresses monitoring of service levels
09.e 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-4
Requires cataloguing of current service providers
09.e 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Requires the service provider to protect the organization’s data and ensure service continuity levels are met
09.e 2 Removed: PCI cross reference
PCI DSS v2 12.8.3
Monitoring service delivery is a due care issue; the intent of PCI DSS v3 12.8.3 is to exercise an appropriate level of due diligence prior to establishing a relationship
09.f 1 Updated: HIPAA cross reference
HIPAA §164.308(b)(43)
Prior content in 164.308(b)(3) was deleted in the Omnibus Rule; 164.308(b)(4) was subsequently renumbered
09.f 2 Added: ISO cross references
ISO/IEC 27001-2013 8.1 ISO/IEC 27002-2013 A.15.2.1 Updated mapping for 2013 ISO release
09.f 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-6
Specifically addresses security incidents as part of third-party monitoring
09.f 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Specifies monitoring shall involve a service management relationship and process between the organization and the third party
82 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-1
Level 1 requires change management procedures for third party services and level 2 identifies specific requirements for change management
09.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Level 1 requires change management procedures for third party services and level 2 identifies specific requirements for change management
09.g 2 Added: ISO cross references
ISO/IEC 27001-2013 8.1 ISO/IEC 27002-2013 A.15.2.2 Updated mapping for 2013 ISO release
09.h 1 Added: ISO cross references
ISO/IEC 27002-2013 A.12.1.3 Updated mapping for 2013 ISO release
09.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-4
Specifically addresses capacity requirements
09.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Addresses capacity requirements for audit logs (implementation)
09.i 2 Added: ISO cross references
ISO/IEC 27002-2013 A.14.2.9 Updated mapping for 2013 ISO release
09.j 1
Removed: Subject to PCI Compliance, Level 1 Regulatory Factors
N/A Moved from level 1 to accommodate addition of PCI requirements in level 2
09.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-4
Specifically addresses malicious code detection
83 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.j 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.2.1 Updated mapping for 2013 ISO release
09.j 2
Added: Subject to PCI Compliance, Subject to FISMA … Level 1 Regulatory Factors
N/A Moved from level 1 to accommodate addition of PCI requirements in level 2
09.j 2
Added: For systems considered to be not commonly affected by malicious software, the organization shall perform periodic assessments to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require anti-virus software. PCI cross reference
PCI DSS v3 5.1.2
Although considered a new best practice, the requirement was added to level 2 due the analysis requirement; language supporting the new PCI DSS v3 5.3. which also provides a more stringent requirement, was already contained in level 2
09.j 2
Added: Malicious code protection mechanisms shall be centrally managed. Non-privileged users are prevented from circumventing malicious code protection capabilities, unless specifically authorized by management on a case-by-case basis for a limited time period. PCI cross reference
PCI DSS v3 5.3 Existing language modified to reflect new v3 requirement
09.k 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-5 Specifically addresses mobile code
84 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.k 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.2.2 Updated mapping for 2013 ISO release
09.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-4 Specifically addresses back-up
09.l 1 Updated: PCI cross reference
PCI DSS v2 9.5 PCI DSS v3 9.5.1 Control remapped in PCI DSS v3
09.l 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.3.1 Updated mapping for 2013 ISO release
09.m PCI Data
Added: The organization shall ensure network diagrams identify all cardholder data connections.
PCI DSS v3 1.1.2 Provides specific guidance for PCI cardholder data
09.m PCI Data
Added: The organization shall ensure network diagrams identify all cardholder data connections and cardholder data flows.
PCI DSS v3 1.1.3 New requirement in PCI DSS v3
09.m PCI Data
Added: Using intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network, monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
PCI DSS v3 11.4
Requirement specific to a robust implementation of IDS/IPS in and around the cardholder data environment
85 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-1
Specifically addresses network diagrams that indicate data flows
09.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-1
Addresses monitoring of all authorized and unauthorized wireless access
09.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-3
Specifically addresses network diagrams that indicate data flows
09.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Specified network protections support data leakage prevention
09.m 1 Added: PCI cross reference
PCI DSS v3 1.1
Supports sub-requirements PCI DSS v3 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6 and 1.1.7, which are mapped to the control
09.m 1 Added: PCI cross reference
PCI DSS v3 1.1.5 Added to reflect renumbering from 1.1.3 to 1.1.4 in PCI DSS v3
09.m 1
Added: Misconfigured wireless networks and vulnerabilities in … covered information environments. The organization monitors for all authorized and unauthorized wireless access to the information system and prohibits installation … PCI cross reference
PCI DSS v3 11.1 Requirement modified in PCI DSS v3; previous mapping at 09.m level 2 was moved to level 1
86 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.m 1
Deleted: v. firmware on wireless devices to support
strong encryption for authentication and transmission over wireless networks
vi.v other security-related …
PCI DSS v3 2.1.1
The requirement was removed from PCI DSS v3 and incorporated into the test procedures for the control (2.1.1d). Previous language inconsistent with the rest of the list for “change the following”; requirements for strong encryption for authentication and transmission over wireless networks is addressed by other language
09.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
Requires identification and authentication of network devices
09.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-5
Specifically addresses the use of firewalls to segment and protect the internal network
09.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2
Requires protection of information in transit
09.m 2 Removed: PCI cross reference
PCI DSS v2 11.1 Language is addressed in level 1; cross reference moved
09.m 2 Removed: PCI cross reference
PCI DSS v2 4.1
Requirement for encryption of data over public networks is not contained in 09.m; maps to content contained in 10.s
09.m 2 Added: PCI cross reference
PCI DSS v3 11.4 New requirement related to intrusion detection addressed by 09.m
09.m 3 Added: ISO cross references
ISO/IEC 27002-2013 A.13.1.1 Updated mapping for 2013 ISO release
87 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.m 3 Removed: PCI cross reference
PCI DSS v3 1.1.5 Removed due to renumbering of requirements in PCI DSS v3
09.m 3 Added: PCI cross reference
PCI DSS v3 1.1.7 Added to reflect renumbering in PCI DSS v3 due to the addition of a new requirement at 1.1.3
09.n 1 Updated: HIPAA cross reference
HIPAA §164.308(b)(43)
Prior content in 164.308(b)(3) was deleted in the Omnibus Rule; 164.308(b)(4) was subsequently renumbered
09.n 1 Added: ISO cross references
ISO/IEC 27002-2013 A.13.1.2 Updated mapping for 2013 ISO release
09.n 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Specifies certain responsibilities, e.g., the right to audit; additional requirements outlined in level 2
09.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-1
Specifically address the information communicated for each connection, which is required to support documentation of data flows
09.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-6
Provides for organizational monitoring of external service providers
09.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Provides for organizational monitoring of external service providers
09.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-3
Requires identification of information communicated when authorizing system connections
88 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.n 2
Added: The organization shall: ii. centrally document for each connection, the
interface characteristics, security requirements, and the nature of the information communicated.
NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-4
Requires authorization of connections to all external systems; clarification added
09.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Specifies providing services IAW applicable laws & regulations
09.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Specifies requirements for third parties, including contract provisions
09.n 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-4
Addresses security requirements for each connection, which would include communications and control networks
09.o 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-2 Specifically addresses removable media
09.o 2 Added: ISO cross references
ISO/IEC 27002-2013 A.8.3.1 Updated mapping for 2013 ISO release
09.p 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3
Requires formal management of assets awaiting and during disposal
09.p 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Secure destruction supports data leakage prevention
89 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.p 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-6 Specifically addresses destruction
09.p 1 Updated: PCI cross reference
PCI DSS v2 9.10 PCI DSS v3 9.8 Control remapped in PCI DSS v3
09.p 1
Added: The organization shall destroy media when it is no longer needed for business or legal reasons. Formal procedures for the secure disposal …
PCI DSS v3 9.8 Requirement was mapped to 09.p level 1 as PCI DSS v2 9.10 but not specifically addressed; language added
09.p 2 Added: ISO cross references
ISO/IEC 27002-2013 A.8.3.2 Updated mapping for 2013 ISO release
09.q PCI Data
Added: The system shall not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, the system shall render all data unrecoverable upon completion of the authorization process.
PCI DSS v3 3.2 PCI only requirement
09.q PCI Data
Added: The system shall not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data.
PCI DSS v3 3.2.1 PCI only requirement
90 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.q PCI Data
Added: The system shall not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-no-present transactions.
PCI DSS v3 3.2.2 PCI only requirement
09.q PCI Data
Added: The system shall not store the personal identification number (PIN) or the encrypted PIN block.
PCI DSS v3 3.2.3 PCI only requirement
09.q PCI Data
Added: The system shall mask the PAN when displaced (the first six and last our digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN. (Note this requirement does not supersede stricter requirements in place for displays of cardholder data—for example, legal or payment card brand requirements for point-of-sale (POS) receipts.)
PCI DSS v3 3.3 PCI only requirement
09.q 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-3
Requires procedures for handling, processing, communication and storage of information, including media awaiting disposal
09.q 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-2
Requires procedures for handling, processing, communication and storage of information, including media awaiting disposal
91 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.q 2 Added: ISO cross references
ISO/IEC 27002-2013 A.8.2.3 Updated mapping for 2013 ISO release
09.q 2 Updated: PCI cross reference
PCI DSS v2 9.6 PCI DSS v3 9.5 Control remapped in PCI DSS v3
09.q 2 Updated: PCI cross reference
PCI DSS v2 9.7 PCI DSS v3 9.6 Control remapped in PCI DSS v3
09.q 2 Updated: PCI cross reference
PCI DSS v2 9.8 PCI DSS v3 9.6.3 Control remapped in PCI DSS v3
09.q 2 Updated: PCI cross reference
PCI DSS v2 9.9 PCI DSS v3 9.7 Control remapped in PCI DSS v3
09.q 2 Added: PCI cross reference
PCI DSS v3 3.2 Requirements related to handling and storage of sensitive payment card authentication data
09.q 2 Added: PCI cross reference
PCI DSS v3 3.2.1 Requirements related to handling and storage of sensitive payment card authentication data
09.q 2 Added: PCI cross reference
PCI DSS v3 3.2.2 Requirements related to handling and storage of sensitive payment card authentication data
09.q 2 Added: PCI cross reference
PCI DSS v3 3.2.3 Requirements related to handling and storage of sensitive payment card authentication data
09.q 2 Added: PCI cross reference
PCI DSS v3 3.3 PCI only requirement
92 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.q 2
Added: The organization shall maintain strict control over the storage and accessibility of media. Management shall approve any and all media …
PCI DSS v3 9.7 Requirement was mapped to 09.q level 2 as PCI DSS v2 9.9 but not addressed; language added
09.r 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-1
Protection of system documentation necessary to avoid disclosure of possible vulnerabilities
09.s 1 Added: ISO cross references
ISO/IEC 27002-2013 A.13.2.1 Updated mapping for 2013 ISO release
09.s 1
Added: The organization shall ensure that communications protection requirements … and compliance audits (see 06.g) consistent with relevant legislation. NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Consistent with relevant legislation policy language in the control objective, which was not explicitly addressed
09.s 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-3
Addresses requirements for remote access sessions
93 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.s 1
Added: Formal procedures shall be defined to encrypt data in transit including use of strong cryptography protocols to safeguard covered information during transmission over open public networks.
• Only trusted keys and certificates shall be accepted
• The protocol in use shall only support secure versions or configurations
• The encryption strength shall be appropriate to the encryption methodology in use
PCI cross reference
PCI DSS v3 4.1 Requirement is addressed in level 1 vice level 2; language updated to reflect changes in PCI DSS v3
09.s 2 Removed: PCI cross reference
PCI DSS v2 4.1 Requirement is addressed in level 1 vice level 2
09.t 1 Added: ISO cross references
ISO/IEC 27002-2013 A.13.2.2 Updated mapping for 2013 ISO release
09.t 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Exchange agreements identify specific responsibilities for third-parties
09.u 1 Added: ISO cross references
ISO/IEC 27002-2013 A.8.3.3 Updated mapping for 2013 ISO release
09.u 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2 Addresses data (media) in transit
94 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.u 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-2 Addresses transit of all media
09.u 1 Updated: PCI cross reference
PCI DSS v2 9.7.2 PCI DSS v3 9.6.2 Control remapped in PCI DSS v3
09.v 1 Added: ISO cross references
ISO/IEC 27002-2013 A.13.2.3 Updated mapping for 2013 ISO release
09.v 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Addresses legal considerations, e.g., re: electronic signatures
09.v 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2 Addresses electronic messaging
09.v 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Security of electronic messaging supports data leakage prevention
09.v 1
Updated: The organization shall never send unencrypted covered sensitive information (e.g., covered information, PANs) by end-user messaging technologies (e.g. e-mail, instant messaging, and chat). PCI cross reference
PCI DSS v3 4.2 Requirement for covered information already addressed
09.w 1 Updated: HIPAA cross reference
HIPAA §164.308(b)(43)
Prior content in 164.308(b)(3) was deleted in the Omnibus Rule; 164.308(b)(4) was subsequently renumbered
95 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.w 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-1
Addresses baselines for basic security hygiene in interconnected systems
09.w 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-5
Addresses segregation of untrusted and trusted networks
09.w 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1
Specifies baselines for basic security hygiene in interconnected systems
09.x 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Addressed legal requirements for the use of cryptographic controls
09.x 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-1
Specifies data in transit protections for electronic commerce, e.g., the use of cryptographic controls to enhance security
09.x 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2
Specifies data at rest protections for electronic commerce, e.g., the loss or duplication of order information
09.x 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Multiple requirements support data leakage prevention
09.x 2 Added: ISO cross references
ISO/IEC 27002-2013 A.14.1.2 Updated mapping for 2013 ISO release
09.y 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-1
Specifies data in transit protections for online transactions, e.g., the use of cryptographic controls
09.y 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2
Specifies security shall be maintained through all aspects of the transaction
96 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
09.y 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Multiple requirements support data leakage prevention
09.y 2 Added: ISO cross references
ISO/IEC 27002-2013 A.14.1.3 Updated mapping for 2013 ISO release
09.z 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
Specifies only authorized individuals may post information onto publically accessible information systems
09.z 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-6
Requires protections for the integrity of the information stored, processed and transmitted
09.z 2 Added: ISO cross references
ISO/IEC 27001-2013 A.14.1.2 Updated mapping for 2013 ISO release
09.z 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-6
Requires vulnerability testing of publically accessible systems
09.z 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Requires information to be obtained in compliance with any relevant legislation
09.z 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1
Requires testing to ensure security baselines and configurations are met
09.z 3 Added: ISO cross references
ISO/IEC 27002-2013 A.14.1.2 Updated mapping for 2013 ISO release
10.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-2
Security requirements analysis and specification is initial part of SDLC process
97 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.a 2 Added: ISO cross references
ISO/IEC 27001:2013 A.6.1.5 ISO/IEC 27002:2013 A.14.1.1 ISO/IEC 27002:2013 A.14.2.1 ISO/IEC 27002:2013 A.14.2.5 ISO/IEC 27002:2013 A.14.2.6 ISO/IEC 27002:2013 A.14.2.8 ISO/IEC 27002:2013 A.17.2.1
Updated mapping for 2013 ISO release
10.a 2
Added: … the project management methodology. Organizations shall establish and appropriately protect secure development environment for system development and integration efforts that cover the entire system development lifecycle. ISO cross reference
ISO/IEC 27002:2013 A.14.2.6 Addresses information security in system development and acquisition
10.a 2
Added: … and evolution of requirements. Organizations developing software or systems shall perform thorough testing and verification during the development process. Independent acceptance testing should then be undertaken (both for in-house and for outsourced developments) to ensure the system works as expected and only as expected. The extent of testing should be in proportion to the importance and nature of the system. ISO cross reference
ISO/IEC 27002:2013 A.14.2.8 Addresses information security in system development and acquisition
98 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.a 2
Added: The organization shall apply information system security engineering principles in the specification, design, development, implementation, and modification of security requirements and controls in developed and acquired information systems. Organizations shall include business requirements for the availability of information systems when specifying security requirements. Where availability cannot be guaranteed using existing architectures, redundant components or architectures should be considered along with the risks associated with implementing such redundancies. Specifications for the security control requirements … ISO cross reference
ISO/IEC 27002:2013 A.17.2.1 Incorporated new requirement to address system availability in the security engineering / SDLC process
10.a 2
Added: Information security shall be addressed in all phases of the project management methodology. ISO cross reference
ISO/IEC 27002:2013 A.6.1.5 Addresses information security in system development and acquisition
10.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Data input validation helps prevent certain exploits that could result in data leakage
99 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-6 Specific to data input integrity
10.b 2
Added: i. improper error handling (Do not leak
information via error messages) ii. broken authentication/sessions (Prevent
unauthorized individuals from compromising legitimate account credentials, keys or session tokens that would otherwise enable an intruder to assume the identity of an authorized user)
PCI DSS v3 6.5.10 Added new validation requirement in PCI DSS v3
10.b 2
Added: For web applications and application interfaces (internal or external) this also includes but is not limited to:
i. cross-site scripting (XSS) (Validate all parameters before inclusion, utilize context-sensitive escaping, etc.)
ii. improper Access Control, such as insecure direct object references, failure to restrict URL access, and directory traversal, and failure to restrict user access functions
PCI DSS v3 6.5.8 Added new language in PCI DSS v3
100 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.b 2
Added: For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: i. reviewing applications via manual or
automated application vulnerability security assessment tools or methods, at least annually and after any changes;
ii. installing an automated technical solution that detects and prevents Web-based attacks (e.g., a Web-application firewall) in front of public-facing Web applications, to continually check all traffic.
PCI DSS v3 6.6
Existing language was not specific to public-facing Web applications nor did it address the requirement for a technical solution; language added to reflect actual requirements
10.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-6 Specific to integrity of processing
10.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2 Specifically addresses data in transit
10.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Controls prevent data leakage during messaging
10.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-6
Addresses integrity of data during messaging
101 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.f 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-1
Cryptographic control requirements support protection of data at rest
10.f 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2
Cryptographic control requirements support protection of data in transit
10.f 2 Added: ISO cross references
ISO/IEC 27002-2013 A.10.1.1 Updated mapping for 2013 ISO release
10.f 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Address legal and regulatory requirements for cryptography
10.g PCI Data
Added: Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:
i. Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data- encrypting key.
ii. Within a secure cryptographic device (such as a host security module (HSM) or PTS-approved point-of-interaction device).
iii. As at least two full-length key components or key shares, in accordance with an industry- accepted method.
PCI DSS v3 3.5.2 New content in 3.5.2 is PCI-specific
10.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-1
Cryptographic control requirements support protection of data at rest
102 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.g 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2
Cryptographic control requirements support protection of data in transit
10.g 2 Added: ISO cross references
ISO/IEC 27002-2013 A.10.1.2 Updated mapping for 2013 ISO release
10.g 2 Added: PCI cross reference
PCI DSS v3 3.4 General requirement to protect cryptographic keys addressed by 10.g
10.g 2
Added: v. storing keys in the fewest possible locations, including how authorized users obtain access to keys; PCI cross reference
PCI DSS v3 3.5.3 General requirement for storing cryptographic keys addressed in 10.g
10.g 2
Added: A key management system shall be based on a formal set of standards, procedures, and secure methods for: i. verifying identity prior to generating new
keys or certificates for users; ii. …
PCI DSS v3 8.2.2
Added new language in 8.2.2 that expands verification of user identity beyond passwords to other types of authenticators
10.h 1 Added: ISO cross references
ISO/IEC 27002-2013 A.12.5.1 Updated mapping for 2013 ISO release
10.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1
Requires maintenance of current information system baselines
103 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.h 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-3
Requires maintenance of operational software IAW configuration baselines
10.h 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-7
Requires testing of operational software on separate (non-production) systems
10.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-1
States the access control procedures, which apply to operational application systems, shall also apply to test application systems
10.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-2
States the access control procedures, which apply to operational application systems, shall also apply to test application systems
10.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-3
States the access control procedures, which apply to operational application systems, shall also apply to test application systems
10.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-4
States the access control procedures, which apply to operational application systems, shall also apply to test application systems
10.i 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AC-5
States the access control procedures, which apply to operational application systems, shall also apply to test application systems
10.i 2 Added: ISO cross references
ISO/IEC 27002-2013 A.14.3.1 Updated mapping for 2013 ISO release
104 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-1
States security controls shall be equally applied to non-production environments as production environments
10.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-2
States security controls shall be equally applied to non-production environments as production environments
10.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Specifies audit trail for use of operational information
10.i 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-3
States personnel developing & testing system code from having access to production libraries (least privilege)
10.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-5
Safeguards against the introduction of unauthorized functionality supports data leakage prevention
10.j 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-3
States access to program source code shall be restricted
10.j 2 Added: ISO cross references
ISO/IEC 27002-2013 A.9.4.5 Updated mapping for 2013 ISO release
10.k 1 Added: ISO cross references
ISO/IEC 27001-2013 8.1 ISO/IEC 27002-2013 A.14.2.3 Updated mapping for 2013 ISO release
10.k 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-3
Requires change control; specific requirements contained in level 2
10.k 2 Added: ISO cross references
ISO/IEC 27002-2013 A.14.2.2 ISO/IEC 27002-2013 A.14.2.3 Updated mapping for 2013 ISO release
105 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.k 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6 Addresses roles and responsibilities
10.k 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-4
Specifies identification of potential impacts
10.k 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-5 Requires risk assessment
10.k 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Specifies requirements in third party agreements / contracts
10.k 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-2
States procedures must be incorporated into the SDLC process
10.k 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-3
Restricts access based on least privilege / minimum necessary
10.k 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-1
Requires monitoring of configuration settings
10.k 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-7
Requires auditing of automated access restriction enforcement actions
10.k 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1
Specifically requires current configuration baselines for information systems
10.k 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-1 Requires current baseline
106 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.l 1 Added: ISO cross references
ISO/IEC 27001-2013 8.1 ISO/IEC 27002-2013 A.14.2.7 Updated mapping for 2013 ISO release
10.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-4 Requires testing for malicious code
10.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-1
Role in the supply chain is communicated through contractual requirements
10.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-3
Protection against supply chain threats requires identification of those threat
10.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-6
Protection against supply chain threats requires identification of risk response
10.l 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-3
Addresses contract requirements for outsourced software development
10.l 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-6
Requires supervision and monitoring of outsourced software development
10.l 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-2
Addresses security in the SDLC for outsourced software development up to implementation
10.m PCI Data
Added: Perform quarterly internal vulnerability scans and rescans as needed, until all “high-risk” vulnerabilities (as identified in Requirement 6.1) are resolved. Scans must be performed by qualified personnel.
PCI DSS v3 11.2.1 Added content to PCI segment due to additional criteria for rescans and qualified personnel
107 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.m PCI Data
Added: Perform quarterly external vulnerability scans, via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). Perform rescans as needed, until passing scans are achieved.
PCI DSS v3 11.2.2 Added content to PCI segment due to additional criteria for rescans and qualified personnel
10.m PCI Data
Added: Perform internal and external scans, and rescans as needed, after any significant change. Scans must be performed by qualified personnel.
PCI DSS v3 11.2.3 Added content to PCI segment due to additional criteria for rescans and qualified personnel
108 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.m PCI Data
Added: Implement a methodology for penetration testing that:
i. is based on industry-accepted penetration testing approaches (e.g., NIST SP 800-115),
ii. includes coverage for the entire card data environment (CDE) perimeter and critical systems,
iii. includes testing from both inside and outside the network,
iv. includes testing to validate any segmentation and scope-reduction controls,
v. defines application-layer penetration tests to include, at a minimum, the vulnerabilities identified in 10.b, level 1 (reference PCI DSS v3 6.5),
vi. defines network-layer penetration tests to include components that support network functions as well as operating systems,
vii. includes review and consideration of threats and vulnerabilities experienced in the last 12 months, and
viii. specifies retention of penetration testing results and remediation activities’ results.
PCI DSS v3 11.3
Extensive requirements for the implementation of a penetration testing methodology is specific to PCI DSS v3
109 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.m PCI Data
Added: If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems.
PCI DSS v3 11.3.4 New requirement related to pen testing addressed in 10.m, level 3; this requirement is specific to PCI
10.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-1
Requires the organization to obtain timely information about technical vulnerabilities
10.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-2
Requires the organization to obtain timely information about technical vulnerabilities
10.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-4
Requires evaluation of an organization’s exposure; actual risk assessment is specified in level 2
10.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-6
Requires remediation of identified vulnerabilities
10.m 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.MI-3
Requires remediation of identified vulnerabilities
10.m 1
Removed: A web-application firewall shall be placed in front of public-facing web application to detect and prevent web-based attacks. PCI DSS v2 6.6
PCI DSS v3 6.6
Language was changed in v3; Web-application firewall is only an example of the type of solution that may be required; PCI DSS v2 6.6 is addressed by CSF control 10.b Level 2
110 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.m 2 Added: ISO cross references
ISO/IEC 27002-2013 A.12.6.1 Updated mapping for 2013 ISO release
10.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.CM-8
Requires vulnerability monitoring and assessments
10.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Requires establishment of roles and responsibilities
10.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-5
Requires assignment of a risk ranking to newly discovered vulnerabilities
10.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-12
Requires a technical vulnerability management program
10.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-1
Requires auditing (logging) of all procedures undertaken
10.m 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-3
Requires the organization to identify any coordination responsibilities required
10.m 2 Updated: PCI cross reference
PCI DSS v2 6.2 PCI DSS v3 6.1 Control remapped in PCI DSS v3
111 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.m 2
Added: Internal and external vulnerability assessments of covered sensitive information systems (e.g., systems containing covered information, cardholder data) and networked environments shall be performed on a quarterly basis, and after any significant change in the network (e.g., new system component installations, changes in network topology, firewall rule modifications, product upgrades), by a qualified individual. These tests shall include both network- and application-layer tests.
PCI DSS v3 11.2 Added language based on changes in PCI DSS v3 11.2
10.m 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.PT-3
Specifies privileged access authorization to facilitate more thorough scanning
10.m 3 Updated: PCI cross reference
PCI DSS v2 6.1 PCI DSS v3 6.2 Control remapped in PCI DSS v3
112 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
10.m 3
Added: Perform eExternal and internal network penetration testing and an enterprise security posture review shall be performed at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a Web server added to the environment). The penetration test should also include application-layer penetration tests. Perform an enterprise security posture review annually.
PCI DSS v3 11.3.1 PCI DSS v3 11.3.2
Updated with additional language in PCI DSS v3 11.3.1 and 11.3.2; enterprise security posture review addressed separately to avoid confusion with the pen test requirements.
10.m 3
Added: … The penetration test should also include application-layer penetration tests. Exploitable vulnerabilities found during penetration testing are corrected and testing is repeated to verify the corrections.
PCI DSS v3 11.3.3 New requirement related to pen testing addressed in 10.m, level 3
11.a PCI Data
Added: The organization shall designate specific personnel to be available on a 24/7 basis to respond to alerts.
PCI DSs v3 12.10.3 24/7 response exceeds requirements specified in 11.a, level 1
11.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-2
Requires reporting IAW specified criteria
113 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.a 1 Updated: PCI cross reference
PCI DSS v2 12.9 PCI DSS v3 12.10 Control remapped in PCI DSS v3
11.a 1 Updated: PCI cross reference
PCI DSS v2 12.9.3 PCI DSS v3 12.10.3 Control remapped in PCI DSS v3
11.a 2
Removed: Subject to PCI Compliance, Subject to HITECH Breach Notification Requirements, Subject to … Level 1 Regulatory Factor
Administrative change
HITECH breach notification requirements incorporated into the HIPAA Administrative Simplification at Subpart D
11.a 2
Added: Reports to the individuals affected by the incident shall be … included in the breach. For fewer than 10 individuals, a substitute form of notice reasonably calculated to reach the individual shall be provided, except when there is insufficient or out-of-date information that precludes written notification to the next of kin or personal representative. The organization shall also notify, without …
HIPAA § 164.404(d)(2) Added missing requirement for less than 10 individuals when substitute notice is required.
114 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.a 2
Added: The policy shall refer to the specific ... Procedures shall be developed to provide for the definition and assessment of information security incidents (e.g., an event/incident classification scale to decide whether an event classifies as an incident), roles and responsibilities, incident handling, reporting and communication processes ISO cross reference
ISO/IEC 27002:2013 A.16.1.4 Provides additional clarification for existing requirement for the definition of information security incidents
11.a 2 Added: ISO cross references
ISO/IEC 27002-2013 A.16.1.4 Updated mapping for 2013 ISO release
11.a 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Outlines specific reporting requirements from the HIPAA Data Breach Notification Rule
11.a 2 Removed: PCI cross reference
PCI DSS v2 12.5.2
11.a addresses reporting information security events but does not require formally assigning responsibilities for monitoring, analyzing and distributing security alerts; this will be addressed in 05.c
11.a 2 Removed: PCI cross reference
PCI DSS v2 12.5.3
11.a addresses related procedures but does not require formally assigning responsibilities for establishing, documenting and distributing security incident response and escalation procedures; this will be addressed in 05.c
115 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.a 2 Updated: PCI cross reference
PCI DSS v2 12.9.1 PCI DSS v3 12.10.1 Control remapped in PCI DSS v3
11.a 2 Updated: PCI cross reference
PCI DSS v2 12.9.4 PCI DSS v3 12.10.4 Control remapped in PCI DSS v3
11.a 2 Updated: PCI cross reference
PCI DSS v2 12.9.5 PCI DSS v3 12.10.5 Control remapped in PCI DSS v3
11.a 3 Added: ISO cross references
ISO/IEC 27002-2013 A.16.1.2 Updated mapping for 2013 ISO release
11.a 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-7
Requires improvement of implemented controls based on analysis of prior incidents
11.b 1 Added: ISO cross references
ISO/IEC 27002-2013 A.16.1.3 Updated mapping for 2013 ISO release
11.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-1
Requires reporting of potential weaknesses (vulnerabilities)
11.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-9
Establishes incident response capability (policies, procedures)
11.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.AN-4
Requirement to handle different types of incidents is specified (w/ examples provided)
11.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.MI-1 Specifies containment
116 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.MI-2 Specifies corrective actions (mitigation)
11.c 1 Updated: PCI cross reference
PCI DSS v2 12.9 PCI DSS v3 12.10 Control remapped in PCI DSS v3
11.c 1
Added: Procedures shall be established to handle different types of information security incidents including: … viii. identity theft; and ix. unauthorized wireless access points. PCI cross reference
PCI DSS v3 11.1.2 New requirement supporting PCI DSS v3 6.1
11.c 2
Removed: Subject to PCI Compliance, Subject to FISMA Compliance, Subject to HITECH Breach Notification Requirements, Subject to … Level 1 Regulatory Factor
Administrative change
HITECH breach notification requirements incorporated into the HIPAA Administrative Simplification at Subpart D
117 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.c 2
Added: The organization shall respond to incidents in accordance with the documented procedures, which should include but not be limited to the following: i. collecting evidence as soon as possible after
the occurrence (see 11.e); ii. conducting information security forensic
analysis, as required (see 11.e); iii. escalation, as required; iv. ensuring that all involved response activities
are properly logged for later analysis; v. communicating the existence of the
information security incident or any relevant details thereof to other internal and external people or organizations with a need-to-know;
vi. dealing with information security weakness(es) found to cause or contribute to the incident; and
vii. once the incident has been successfully addressed, formally closing and recording it.
ISO cross reference
ISO/IEC 27002:2013 A.16.1.5 New ISO control is intended to ensure organizations actually implement the procedures they develop
11.c 2 Added: ISO cross references
ISO/IEC 27002-2013 A.16.1.1 ISO/IEC 27002-2013 A.16.1.5 Updated mapping for 2013 ISO release
11.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-3
The monitoring of systems, alerts, and vulnerabilities are used to detect information security incidents
118 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-1
Requires training of incident response personnel
11.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-3
Requires communication of incident response policy/procedures to appropriate parties in the organization
11.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-4
Multiple requirements addressing communication and coordination
11.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.IM-2
Periodic reviews of the incident response capability, which includes recovery strategies, are required
11.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.RP-1
Multiple requirements imply execution of response capability
11.c 2 Updated: PCI cross reference
PCI DSS v2 12.9.1 PCI DSS v3 12.10.1 Control remapped in PCI DSS v3
11.c 2 Updated: PCI cross reference
PCI DSS v2 12.9.2 PCI DSS v3 12.10.2 Control remapped in PCI DSS v3
11.c 2 Updated: PCI cross reference
PCI DSS v2 12.9.4 PCI DSS v3 12.10.4 Control remapped in PCI DSS v3
11.c 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Requires reporting consistent with applicable laws & regulations
11.c 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-1
Order of operations (roadmap, approach) is addressed in level 3; responsibilities are also addressed
119 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.c 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-5
Requires communications (voluntary sharing) with stakeholders (e.g., CERT, FedCIRC)
11.c 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.IM-1
Requires updates to policies and procedures based on lessons learned (only periodic reviews are required in level 2)
11.c 3 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS-CO-2
Requires reporting to appropriate authorities (external, e.g., law enforcement)
11.d 1 Added: ISO cross references
ISO/IEC 27002-2013 A.16.1.6 Updated mapping for 2013 ISO release
11.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-1
Requires evaluation of incidents to determine likelihood and impact; which necessarily requires threat modeling
11.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-4
Requires identification of recurring or high impact incidents
11.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.AN-2
Requires identification of recurring or high impact incidents
11.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.RP-1
Lessons learned implies capability was implemented
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-2
Requires analysis as part of the incident capability
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-3
Components of the incident response capability include IPS, IDS, forensics, and vulnerability assessments
120 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Required definition of roles and responsibilities
11.d 2
Added: The organization shall: 1. implement an incident handling capability for
security incidents that includes detection and analysis, containment, eradication, and recovery (including public relations);
NIST cyber cross-reference
NIST Cybersecurity Framework RC.CO-1
Lessons learned imply implementation; capability includes recovery and language added for clarification around public relations
11.d 2
Added: The organization shall: 2. implement an incident handling capability for
security incidents that includes detection and analysis, containment, eradication, and recovery (including public relations and reputation management);
NIST cyber cross-reference
NIST Cybersecurity Framework RC.CO-2
Lessons learned imply implementation; capability includes recovery and language added for clarification around mitigating negative impact to organizational reputation
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RC.CO-3
Requires coordination of incident handling activities with contingency planning
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RC.IM-1
Requires incorporation of lessons learned (capability includes recovery)
121 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RC.IM-2
Requires implementation of changes IAW lessons learned (capability includes recovery)
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RC.IP-1
Lessons learned imply implementation; capability includes recovery and language added for clarification around public relations
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.AN-1
Requires detection and analysis (investigation)
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.AN-2 Addresses forensics
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-3 Requires communication
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-4 Requires coordination
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.IM-1
Requires incorporation of lessons learned
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.IM-2
Requires implementation of changes IAW lessons learned
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.MI-1 Addresses containment
11.d 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.MI-2 Addresses eradication (mitigation)
122 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
11.d 2 Updated: PCI cross reference
PCI DSS v2 12.9.6 PCI DSS v3 12.10.6 Control remapped in PCI DSS v3
11.e PCI Data
Added: A service provider shall protect each organization’s hosted environment and data by enabling process to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
PCI DSS v3 A.1.4
Specific language addressing logs and audit trails unique to each organization’s cardholder data environment
11.e 1
Removed: Subject to HITECH Breach Notification Requirements Level 1 Regulatory Factor
Administrative change
HITECH breach notification requirements incorporated into the HIPAA Administrative Simplification at Subpart D
11.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Addresses collection of evidence IAW the laws of the relevant jurisdiction(s)
11.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.AN-2
Addresses collection of evidence IAW the laws of the relevant jurisdiction(s)
11.e 2 Added: ISO cross references
ISO/IEC 27002-2013 A.16.1.7 Updated mapping for 2013 ISO release
11.e 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-11
Requires procedures for the purposes of disciplinary action (HR security)
12.a 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-5
Requires identification of all critical information system assets
123 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
12.a 2 Added: ISO cross references
ISO/IEC 27002-2013 A.17.1.2 Updated mapping for 2013 ISO release
12.a 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-4
Requires an understanding of the risks, including likelihood and impact
12.a 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Requires assignment of responsibilities to an individual at an appropriate level with the organization
12.a 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-5
Requires an understanding of the impact incidents have on the business to establish business objectives of the information assets
12.a 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-9
Identifies key elements of the business continuity program
12.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-2
Requires a holistic view of the organization’s environment to determine potential causes of interruption
12.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-4
Requires a plan to implement the overarching business continuity strategy; additional detail provided in level 2
12.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-1
Requires identification of vulnerabilities wrt identification of threats (part of risk assessment)
12.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-3
Requires identification of internal and external threats to continuity of operations
124 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
12.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-4
Requires determination of potential impacts
12.b 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RA-5 Requires a risk determination
12.b 2 Added: ISO cross references
ISO/IEC 27002-2013 A.17.1.2 Updated mapping for 2013 ISO release
12.b 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.RM-3
Requires a BIA wrt the consequences of disasters, security failures, loss of service and service availability
12.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-5
Addresses required business objectives for restoration (priorities)
12.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Addresses roles and responsibilities in the planning process
12.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-4
Addresses assessment of internal and external dependencies
12.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-5 Establishes RTOs/RPOs
12.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-9
Specifically address business continuity implementation and management; additional detail provided in levels 2 & 3
12.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RC.CO-3
Addresses distribution to specific individuals or their functional equivalents
125 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
12.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RC.RP-1
Control specification addresses implementation of the plans, which are the focus of the requirement statements throughout the control
12.c 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-4
Requires coordination of contingency planning activities with incident handling activities
12.c 1 Updated: PCI cross reference
PCI DSS v2 12.9.1 PCI DSS v3 12.10.1 Control remapped in PCI DSS v3
12.c 2 Added: ISO cross references
ISO/IEC 27002-2013 A.17.1.2 Updated mapping for 2013 ISO release
12.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-1 Addresses education of staff
12.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-1
Requires protection of BC documentation, which could indicate vulnerabilities if disclosed inappropriately
12.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.DS-4
Requirements for the resumption of normal services addressed for alternate processing sites
12.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-7 Requires plans be kept up-to-date
12.c 2 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-1
Addresses identification and agreement of all responsibilities and procedures
12.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework DE.AE-5
Requires conditions for activating the plans as well as escalation plans
126 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
12.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-5
Requires the framework to identify critical assets and resources needed
12.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Specifies plans shall have a specific owner
12.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.BE-5
Addresses procedures to move essential activities or support services to alternative temporary locations
12.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.AT-1 Addresses training requirements
12.d 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-1
Plans must specify the individuals responsible for executing each component of the plan
12.d 2
Removed: Each plan shall have a specific owner. Emergency procedures, … shall include defined responsibilities of the service providers.
Administrative change Requirements are a duplicate of language contained in level 1
12.d 2
Removed: Each business continuity plan shall describe the approach for continuity, ensuring … new requirements are identified, any existing emergency procedures (e.g. evacuation plans or fallback arrangements) shall be amended as appropriate.
Administrative change Requirements are a duplicate of language contained in level 1
12.d 2 Added: ISO cross references
ISO/IEC 27002-2013 A.17.1.2 Updated mapping for 2013 ISO release
127 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
12.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.AM-6
Requires team members to understand their roles and responsibilities
12.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework ID.GV-3
Requires updates due to changes in legislation
12.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-10 Specifically addresses testing
12.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-7
Addresses continuous improvement (continued effectiveness) of the business continuity plans
12.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework PR.IP-9 Testing is part of plan management
12.e 1
Added: The test schedule for business continuity plan(s) shall indicate how and when each element of the plan is tested. … The results of tests shall be recorded and actions taken to improve the plans, where necessary. Updates will also consider lessons learned from implementation of the business continuity plan(s). NIST cyber cross-reference
NIST Cybersecurity Framework RC.IM-1
Language added as this requirement is not explicitly addressed
12.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RC.IM-2
Requires plan updates to maintain or improve effectiveness
12.e 1 Added: NIST cyber cross-reference
NIST Cybersecurity Framework RS.CO-1
Requires team members to understand their roles and responsibilities (specific to business continuity / recovery)
128 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.
CSF Control
Control Level Summary of Changes* Authoritative Source Cross-
Reference(s) Remarks
12.e 2 Added: ISO cross references
ISO/IEC 27002-2013 A.17.1.3 Updated mapping for 2013 ISO release
All All
Replace: HITECH Act, Subpart D HIPAA § HITECH cross reference
Administrative change
All relevant CSF mappings not otherwise addressed in this Summary of Changes is updated to reflect incorporation of HITECH data breach notification requirements into the HIPAA Administrative Simplifications at Subpart D
All All
Updated: PCI DSS v23 PCI cross reference
Administrative change
All relevant CSF mappings not otherwise addressed in this Summary of Changes is updated to reflect new PCI-DSS release
129 This document is the PROPIETARY and CONFIDENTIAL Information of HITRUST, LLC. It may not be used, disclosed or reproduced, in whole or in part, without the express written permission of HITRUST, LLC.