The Magnificent Seven: Implementing PCI DSS Using COBIT® 2019.

Introduction

Since completing my last role, at the end of Nov 2019, I have been doing a great deal of research around various industry data privacy and security standards, and especially around PCI DSS, NIST CSF and COBIT 2019.

This has got me wondering:

Could ISACA's recently published guidance for their methodology for 'Using COBIT2019 to implement the NIST CSF' could be adapted to help business to better align PCI DSS into their business operations?

Or;

Could it be used to support a 2-step approach to securing an organisation's payment card operations?

1. Build a secure foundation: Applying the NIST CSF framework to the PCI DSS scope.

2. Apply the compliance layer: Applying the remaining PCI DSS controls (that have not been addressed at the foundation layer) to meet the compliance obligations.

Background

If the PCI SSC have recognised the value and similarities between PCI DSS and the NIST CSF, then this could be a suitable solution for business seeking to focus on securing their payment card operations first, before seeking to achieve their obligations to 'Tick All The Boxes' for achieving PCI DSS compliance.

Traditionally, organisations have been directed towards the PCI SSC's Prioritised Approach but is their a better way of achieving the same objective, but with the focus of the strategy being on securing the business operations first?

COBIT 2019 has been developed to help companies to achieve a number of clearly defined objectives and it achieves through:

1. Identifying stakeholder needs and high-level enterprise goals.

2. Translating enterprise goals into specific governance and management objectives, and ultimately into prioritised.

3. Alignment goals for I&T and associated processes, practices and activities.

4. Developing a tailored, nuanced understanding of I&T risk within specific business contexts.

5. Applying customisable design factors that help enterprises to identify, balance and integrate critical I&T.

6. Initiatives for maximum business impact—while avoiding a disconnected checklist model of IT transformation that can lead to diffuse and/or piecemeal implementation.

7. Discerning target capability levels for cybersecurity processes and assessing their achievement.

Additionally, the COBIT 2019 employs the following 7 stages of implementation:

1. What Are the Drivers?

2. Where Are We Now?

3. Where Do We Want to Be?

4. What Needs to Be Done?

5. How Do We Get There?

6. Did We Get There?

7. How Do We Keep the Momentum Going?

Mapping NIST CSF to PCI DSS v3.2.1 and COBIT 2019

Recommendations

If you are looking to embed your PCI DSS compliance into a single core cybersecurity framework which can be applied across your entire business, as part of your Data Privacy & Security strategy, I would recommend that you review ISACA's Magnificent Seven and assess whether you can adopt these recommended practices as part of your Business As Usual (BAU) operations.

If you already have achieved PCI DSS compliance but would like to strengthen your defences even more, to reduce your risks, why not review the potential of applying the NIST CSF controls to overlay or replace their equivalent PCI DSS controls?

Conclusion

Securing your critical business systems and data has never been more important. However, the risks to your business are typically not limited to your payment card operations and having a foundation control layer, which can be consistently applied across your business for the protection of your most valued business operations.

A lack of consistency, across both your in-scope and out of scope, may present opportunities for your attackers to manipulate your environment to allow an attacker to launch a Man In The Middle style attack (e.g. Magecart Group), from your out of scope environment to breach impact your in-scope environment.

The net benefit of developing a foundation layer and applying it consistently across your business, will help to ensure that all your most valued assets are identified, are afforded additional protection, and the chances of an attacker slipping between the gaps of your in-scope and out of scope environments is significantly reduced.