NIST Cybersecurity framework
The United States depends on the reliable functioning of the Nation’s critical infrastructure. To reduce the inherent risks this president Barak Obama published an executive order – Improving critical infrastructure cybersecurity. The order dated February 2013 directs the National Institute of Standards and Technology (NIST) to lead the development of a Cybersecurity framework intended to provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risks. NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. In January 2017, NIST released an updated version of this framework.
The NIST - Cybersecurity Framework includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. It identifies cross-industry standards and technology neutral best practices.
The NIST - Cybersecurity Framework includes a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. It identifies cross-industry standards and technology neutral best practices.
Adoption of this framework by owners and operators of critical infrastructures and any other interested entities is voluntary. There is no compliance/regulation associated.
The Cybersecurity framework 1.1 and PCI DSS 3.2
I endeavoured to compare the Cybersecurity framework against PCI DSS 3.2. The below picture provides the overall outcome of this gap analysis for each category of the Cybersecurity framework. For detailed insights please review the here attached spreadsheet which provides the matching requirements as well as an indication of the level of matching for each function, category and sub-category of the cybersecurity framework.
cybersecurity_v1.1_vs_pci_dss_3.2.xlsx |
What next? Community review
The outcome of this analysis is based on my own experience of PCI and Cybersecurity framework. It is now subjected to the community review. Any objection, suggestion ? please comment this blog.