Monday, July 24, 2023

2023 PCI DSSv4 to NIST 800-53r5

I ran across this again today working on an internal project for VMware. We are a team of likeminded professionals who enjoy quality work and sharing with the community to raise the bar for everyone.

What struck me when I reopened this workbook is remembering the many very, *very* long days. Mapping is an incomplete science, filled with subjective relationships. However, starting from scratch, using homegrown tools and my own reading through the controls, I remapped as accurately as I could the relationship between the PCI DSS and the body of controls established by NIST SP 800-53r5.

We have our own internal agendas and projects related to this work. However, the data here can help someone else struggling with the volume of frameworks and managing the complex relationships between all of them.

I stand by the mapping as 90% correct. I've learned through the years there are usually ways to improve the accuracy of subjective data. Please let me know if you find an error! Use as you see fit. Look for 2023 PCI DSSv4 to NIST 800-53r5 on davischr2/Cloud-Documents ( or Blog Downloads (

#pci #pcicompliance #nist #sp80053r5

Cross Posted on LinkedIn: PCI DSS to SP 800-53r5 | LinkedIn

Friday, July 21, 2023

NIST Privacy Framework Maturity Model

The NIST Privacy Framework (PF) is an interesting model for building and assessing a formalized privacy program. Sure - I agree - it's not as detailed as what can be found on ARMA, but it's familiarity with the NIST Cybersecurity Framework (CSF) makes it approachable and easier to share with stakeholders. 

This important distinction can help drive interest and stakeholder involvement.

The implementation of any model or checklist is only useful as a point in time assessment, and finding a way to extrapolate quantifiable growth is the key to successful implementation and gaining value from the effort. 

And so - along those lines - please enjoy access to a free tool for measuring your privacy framework as it stands currently versus your desired state during the next periodic timetable you choose to set. 

It's unlocked. Use as you see fit: Blog Downloads ( or davischr2/Cloud-Documents (

Cross posted on LinkedIn: NIST Privacy Framework Maturity Model | LinkedIn

Friday, July 7, 2023

Interconnected Disciplines: Security | Compliance | Privacy | Audit | Information Governance

As the lifeblood of the modern enterprise, information is ceaselessly processed, transmitted, and stored by people, processes, and tools. Have you ever thought about the closely interrelated relationships between each organization that has a vested interest in that data?

A considerable part of the enterprise is dedicated to using - consuming - information. Meanwhile, there are others, behind the scenes, laboring to ensure the organization can utilize the information without any repercussions. The data must not only be protected but also be compliant, managed properly, and audited periodically.

Introducing: Security, Compliance, Privacy, Audit, and Information Governance organizations.

Each of these play a distinctive role, yet they often operate in close concert. 
  • Security is about fortifying the enterprise against threats and ensuring the confidentiality, integrity, and availability of its data. 
  • Compliance takes charge of ensuring the organization's adherence to relevant laws and regulations. 
  • Privacy manages personal data responsibly, safeguarding the rights and expectations of the individual. 
  • Audit plays a vital role in conducting systematic reviews of the company's records and operations to ensure transparency and adherence to established protocols.
  • Information Governance manages information at a strategic level, providing a framework that aligns data handling processes with the overarching goals of the enterprise.

Let's dive a little bit deeper into each one of these.

1. Security Organization:
The Security Organization is the pillar that safeguards the entire process of customer's credit card transactions. The organization employs advanced security protocols and measures, providing a secure environment for data transmission and storage. Without the Security Organization, all the other organizations would be susceptible to significant risks, as their functions entirely rely on the secure foundation built and maintained by the Security Organization.

2. Compliance Organization:
The Compliance Organization is the critical player in aligning operations with external regulations and internal policies. Without the Compliance Organization's thorough knowledge of laws and regulations such as PCI-DSS, and its tireless efforts to maintain compliance, the company could face substantial legal and financial penalties, reputational damage, and loss of customer trust. This fundamental role places the Compliance Organization at the core of the business's sustainability and success.

3. Privacy Organization:
In today's digital age, customer trust hinges heavily on how businesses handle their personal data. The Privacy Organization's role in ensuring the use of customer's credit card information adheres to privacy laws is paramount. Without the Privacy Organization's diligent monitoring and management of personal data, the company risks severe legal ramifications and damage to its reputation. Their critical role in maintaining customer trust puts them at the heart of the organization's operations.

4. Audit Organization:
The Audit Organization, with its responsibility of conducting independent and rigorous reviews, ensures that transactions are being processed accurately and securely. They play an irreplaceable role in detecting irregularities, enhancing process efficiency, and ensuring that the company's financial statements are accurate. The insights they provide enable the company to maintain financial integrity and operational efficiency, making them indispensable to the organization.

5. Information Governance Organization:
The Information Governance Organization, as the policy maker for information management, is the driving force behind how credit card information should be handled, stored, and deleted. They shape the company's strategy on data usage, storage, and security. Without their directives, other organizations wouldn't have the guidelines they need to perform their roles effectively. They serve as the architect of the company's information management strategy. This team establishes the framework for how information is created, stored, used, archived, and deleted across the organization. They align all information-related processes and policies with the organization's overall strategy and goals, ensuring that data supports and advances business objectives.

Criticality of Working Together

Diverse information types necessitate the involvement of multiple organizational bodies. A large spectrum of information forms the backbone of our operations.

This reality underscores the need for an integrated, collaborative approach in dealing with the varied, yet interconnected, dimensions of information. It's crucial that we create a culture that emphasizes collaborative goals, where each team sees their unique responsibilities as components of the collective success. To that end, fostering cross-functional collaboration and implementing diverse team reviews can engender a richer understanding of each team's contributions and insights.

Open communication, underlined by active listening and mutual respect, forms the bedrock of this collaborative culture. The exchange of ideas, challenges, and insights can catalyze solutions that incorporate diverse perspectives and approaches. Establish feedback mechanisms that value different perspectives further enhances your decision-making process and strengthens inter-team relations.

The information and the organizations that manage it are intricately intertwined, calling for a deliberate and proactive approach to collaboration and open dialogue. This approach is the key to leveraging our collective strength, ensuring the integrity of our operations, and driving our collective success.