Monday, May 2, 2016

NIST to PCI DSS 3.1 Raw Map

Raw map. Details will be provided later. We feel this draft was very close. It's currently undergoing review by another external QSA and we have found just a few things to update. 

CONTROLS CONTROL NAME        PCI DSS-MAP
AC-01 Access Control Policy And Procedures 1.1, 7.1, 7.1.4, 7.3, 8.4, 8.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.5
AC-02 Account Management 1.1.5, 2.1, 6.3.1, 6.4.4, 7.1, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2, 7.2.1, 7.2.2, 7.2.3, 8.1.3, 8.7, 8.1.4, 10.2, 10.2.5, 8.1.8, 8.5, 8.5.1, 8.6, 8.1.5, 10.6, 10.6.1
AC-03 Access Enforcement 7.1, 7.1.2, 7.2, 7.2.1, 7.2.2, 7.2.3, 8.1.5, 8.3, 10.4.2, 1.1.5
AC-04 Information Flow Enforcement 1.1.3, 1.1.4, 1.2, 1.2.1, 1.2.2, 1.2.3, 1.3, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8
AC-05 Separation Of Duties 6.4.2
AC-06 Least Privilege 1.1.5, 7.1, 7.1.2, 7.1.4, 10.4.2, 7.1.1, 7.1.3, 10.2.2, 10.2.5
AC-07 Unsuccessful Login Attempts 8.1.6, 8.1.7
AC-11 Session Lock 8.1.8, 12.3.8
AC-12 Session Termination 8.1.8, 6.5.10, 12.3.8
AC-17 Remote Access 8.1.5, 12.3.8, 12.3.9, 12.3.10, 12.5.5, 2.3, 7.1, 7.1.1, 7.1.2, 7.1.3, 12.3
AC-18 Wireless Access 1.1.2, 2.1.1, 4.1.1, 12.3
AC-19 Access Control For Mobile Devices 4.2, 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7
AC-20 Use Of External Information  Systems 7.1.4, 12.8.2, 12.3, 4.2
AC-25 Reference Monitor 6.5.8
AT-01 Security Awareness And Training Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.6
AT-02 Security Awareness Training 12.6.1
AT-03 Role-Based Security Training 12.6.1, 6.5, 9.9.3, 9.10
AT-04 Security Training Records 12.6.2
AU-01 Audit And Accountability Policy And Procedures 10.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
AU-02 Audit Events 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, A-1.3
AU-03 Content Of Audit Records 10.1, 10.3, 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6, A-1.3
AU-04 Audit Storage Capacity 10.7, 10.5.4
AU-05 Response To Audit Processing Failures DE-3.1, DE-3.3, DE-5.1
AU-06 Audit Review, Analysis, And Reporting 10.6.3, 12.10.1, 12.10.5, A-1.3, 10.6, 10.6.1, 10.6.2, 10.5.1, 10.5.2
AU-07 Audit Reduction And Report Generation 10.6
AU-08 Time Stamps 10.3.3, 10.4, 10.4.1, 10.4.3
AU-09 Protection Of Audit Information 10.5, 10.5.1, 10.5.2, 10.5.3
AU-11 Audit Record Retention 5.2, 10.7
AU-12 Audit Generation 10.2, 10.2.1, 10.2.2, 10.2.3, 10.2.4, 10.2.5, 10.2.6, 10.2.7, 10.1, 10.3, 10.3.6, 10.5.1
CA-01 Security Assessment And Authorization Policy And Procedures 11.6, 12.1, 12.1.1, 12.2, 12.3, 12.4, 12.5.1
CA-02 Security Assessments 6.3, 11.1, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 12.2
CA-03 System Interconnections A-1.2, DE-2.2, DE-3.3, 1.2.1
CA-05 Plan Of Action And Milestones 6.2, 11.2, 11.3, DE-1.1, DE-3.2
CA-06 Security Authorization 6.4.5.2, 7.1.4, 12.3.1, 1.3.8, 3.5.1, 3.5.3, 6.4.5, 7.1
CA-07 Continuous Monitoring 11.2, 11.3, DE-1.2, DE-1.3, DE-3.3, 11.2.1, 11.2.2, 11.2.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4
CA-08 Penetration Testing 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4
CA-09 Internal System Connections 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.6
CM-01 Configuration Management Policy And Procedures 1.1, 2.5, 6.7, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
CM-02 Baseline Configuration 1.1.2, 1.2.2, 2.2, 2.2.4, 1.1.7, 6.4.5.4
CM-03 Configuration Change Control 1.1.1, 6.4, 6.4.5, 6.4.5.2
CM-04 Security Impact Analysis 6.4.5, 6.4.5.1, 6.4.5.3, 6.6, DE-2.1, DE-2.2, DE-2.2.1, DE-2.3, DE-2.4, DE-2.5, DE-3.3, 6.4, 6.4.1
CM-05 Access Restrictions For Change 6.4.2, 7.1.2
CM-06 Configuration Settings 2.2, 2.2.3, 2.2.4, 8.7
CM-07 Least Functionality 2.2.1, 2.2.2, 2.2.5, 6.6, 1.1.6
CM-08 Information System Component Inventory 2.4, 9.9.1, 11.1.1
CM-09 Configuration Management Plan 2.2
CP-01 Contingency Planning Policy And Procedures 12.10.1, 12.10.6
CP-02 Contingency Plan 12.10.1, 12.10.3, 12.10.6, 12.3.3
CP-03 Contingency Training 12.10.4
CP-04 Contingency Plan Testing 12.10.4
CP-09 Information System Backup 9.5.1, 12.10.1
CP-10 Information System Recovery And Reconstitution 6.4.5.4
IA-01 Identification And Authentication Policy And Procedures 8.1, 8.2, 8.8, 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.4
IA-02 Identification And Authentication (Organizational Users) 8.1.1, 8.2, 8.3
IA-03 Device Identification And Authentication 9.1.2
IA-04 Identifier Management 8.1.1, 8.1.2, 12.5.4, 7.1.4, 12.3.10, 8.5.1
IA-05 Authenticator Management 2.1, 2.1.1, 2.2, 6.4.4, 8.2.1, 8.2.2, 8.4, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 4.1, 6.3.1
IA-06 Authenticator Feedback 6.5.5
IA-08 Identification And Authentication (Non-Organizational Users) 8.5.1
IR-01 Incident Response Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1, 12.5.3
IR-02 Incident Response Training 12.10.4
IR-03 Incident Response Testing 12.10.2
IR-04 Incident Handling 11.1.2, 12.10.4, 12.10.6
IR-05 Incident Monitoring 12.10.6
IR-06 Incident Reporting 12.10.1
IR-07 Incident Response Assistance 12.5.3
IR-08 Incident Response Plan 12.10, 12.10.1, 12.10.3, A-1.4
MA-01 System Maintenance Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
MA-02 Controlled Maintenance 1.1.1, 6.5.4, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4, DE-2.2.1, DE-3.3
MA-04 Nonlocal Maintenance 8.1.5, 8.3, 8.5.1, 12.3.8, 12.3.9
MA-05 Maintenance Personnel 12.8.3
MP-01 Media Protection Policy And Procedures 9.6, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
MP-02 Media Access 9.7
MP-03 Media Marking 9.6.1
MP-04 Media Storage 9.5, 9.6.3, 9.7, 9.7.1
MP-05 Media Transport 9.6.2
MP-06 Media Sanitization 9.8, 9.8.1, 9.8.2
MP-07 Media Use 12.3, 12.3.5
PC-01 Limit Cardholder Data Storage 3.1
PC-02 Sensitive Authentication Data 3.2,3.2.1,3.2.2,3.2.3
PC-03 Displayed Primary Account Number 3.3
PC-04 Stored Primary Account Number 3.4,3.4.1
PC-05 Cryptographic Key Protection 3.5,3.5.1,3.5.2,3.5.3
PC-06 Cryptographic Key Management Processes 3.6,3.6.1,3.6.2,3.6.3,3.6.4,3.6.5,3.6.6,3.6.7,3.6.8
PC-07 Stored Cardholder Data Protection Policies 3.7
PC-08 Remove Common Coding Vulnerabilities 6.5,6.5.1,6.5.2,6.5.3,6.5.4,6.5.5,6.5.6,6.5.7,6.5.8,6.5.9,6.5.10
PE-01 Physical And Environmental Protection Policy And Procedures 9.10, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PE-02 Physical Access Authorizations 9.2, 9.3, 9.4, 9.4.1, 9.4.2, 9.4.3
PE-03 Physical Access Control 9.1, 9.1.1, 9.1.2, 9.1.3, 9.2, 9.9, 9.9.2
PE-04 Access Control For Transmission Medium 9.1.2, 9.1.3
PE-05 Access Control For Output Devices 12.3, 9.5, 12.3.3, 12.3.4
PE-06 Monitoring Physical Access 9.1.1
PE-08 Visitor Access Records 9.4.4
PL-01 Security Planning Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PM-01 Information Security Program Plan 12.1, 12.1.1, 12.5
PM-02 Senior Information Security Officer 12.5
PM-04 Plan Of Action And Milestones Process DE-3.2
PM-05 Information System Inventory 2.4, 9.9.1, 11.1.1
PM-08 Critical Infrastructure Plan 12.2, 12.3
PM-09 Risk Management Strategy 12.2
PM-10 Security Authorization Process 12.3.1
PM-11 Mission/Business Process Definition 12.2
PM-13 Information Security Workforce DE-1.3, DE-3.3
PM-14 Testing, Training, And Monitoring 12.10.4
PM-15 Contacts With Security Groups And Associations 12.5.2, 6.1
PS-01 Personnel Security Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
PS-02 Position Risk Designation 7.1
PS-03 Personnel Screening 12.7
PS-04 Personnel Termination 9.3
PS-06 Access Agreements 12.3.5
RA-01 Risk Assessment Policy And Procedures 6.1, 6.3.2, 6.5.6, 6.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 11.6, 12.1, 12.1.1, 12.2, 12.3, 12.4, 12.5.1
RA-02 Security Categorization 3.1, DE-2.5, DE-2.5.1
RA-03 Risk Assessment 6.1, 6.3.2, 6.5.6, 6.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4, 12.2, DE-2.2
RA-05 Vulnerability Scanning 6.3.2, 11.2, 11.2.1, 11.2.2, 11.2.3
SA-01 System And Services Acquisition Policy And Procedures 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SA-04 Acquisition Process 6.3
SA-09 External Information System Services 2.6, 8.5.1, 12.8, 12.8.2, 12.8.5, A-1, A-1.2, 12.8.3, 12.8.4, 12.8.1, 12.9
SA-10 Developer Configuration Management 6.3.2, 6.4, 6.4.5, 6.4.5.1, 6.4.5.2, 6.4.5.3, 6.4.5.4
SA-11 Developer Security Testing And Evaluation 6.3, 6.3.2, 6.5.3
SA-15 Development Process, Standards, And Tools 6.4.3
SA-18 Tamper Resistance And Detection 9.9, 9.9.2
SC-01 System And Communications Protection Policy And Procedures 1.5, 3.7, 4.3, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SC-02 Application Partitioning 8.7
SC-07 Boundary Protection 1.1.4, 1.2.3, 1.3.4, 6.6, 1.2, 1.1.2, 1.2.1, 1.3.1, 1.3.2, 1.3.3, 1.4, A-1.1
SC-08 Transmission Confidentiality And Integrity 4.1, 4.1.1, 6.5.4
SC-10 Network Disconnect 8.1.8, 12.3.8
SC-12 Cryptographic Key Establishment And Management 3.5, 3.5.1, 3.5.2, 3.5.3, 3.6, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8
SC-13 Cryptographic Protection 3.5, 3.6, 4.1, 4.2, 4.3
SC-28 Protection Of Information At Rest 3.4, 3.7, 6.5.3
SC-39 Process Isolation A-1.1
SC-43 Usage Restrictions 12.3, 12.3.1, 12.3.2, 12.3.3, 12.3.4, 12.3.5, 12.3.6, 12.3.7
SI-01 System And Information Integrity Policy And Procedures 5.4, 12.1, 12.1.1, 12.3, 12.4, 12.5.1
SI-02 Flaw Remediation 6.1, 6.2, 6.5.6, 11.2, 11.2.1, 11.2.2, 11.2.3, 11.3.3
SI-03 Malicious Code Protection 5.1, 5.1.1, 5.1.2, 5.2, 5.3, 6.6, 11.4, DE-5.1
SI-04 Information System Monitoring 6.6, 11.4, DE-5.1, 5.2, 12.10.5, 11.1, 10.6, 10.6.1, 10.6.2
SI-05 Security Alerts, Advisories, And Directives 12.5.2
SI-07 Software, Firmware, And Information Integrity 10.5.5, 11.5, 11.5.1, 10.5, 12.10.5
SI-10 Information Input Validation 6.5.1, 6.5.2, 6.5.7, 6.5.9
SI-11 Error Handling 6.5.5
SI-12 Information Handling And Retention 3.1