This support guide describes how your CIS CSC implementation value is altered by selecting PCI DSS certification for your specific profile.
Profile Builder - Selecting PCI DSS Certification
Within the X-Analytics Profile Builder, "Company Exposure" section, there is an option to select PCI DSS certification.
If this question is answered as Yes, then your profile will gain the implementation achievement provided from PCI DSS.
PCI DSS Achievement
Where applicable within your profile, PCI DSS certification provides a certain implementation achievement per each of the CIS CSC v8 controls. Please see below:
Inventory and Control of Enterprise Assets = 40%
Inventory and Control of Software Assets = 14%
Data Protection = 64%
Secure Configuration of Enterprise Assets and Software = 58%
Account Management = 50%
Access Control Management = 50%
Continuous Vulnerability Management = 71%
Audit Log Management = 58%
Email and Web Browser Protections = 14%
Malware Defenses = 57%
Data Recovery = 40%
Network Infrastructure Management = 38%
Network Monitoring and Defense = 64%
Security Awareness Training = 44%
Service Provider Management = 0%
Application Software Security = 57%
Incident Response Management = 33%
Penetration Testing = 60%
PCI DSS implementation achievement is only applied within the PoS Intrusion and Skimmers threat categories. Please see table below for the server/apps asset group:
Please Notice: The total implementation value for each control is an average across the 10 threat categories, the total implementation value for each threat category is an average across the 18 CIS CSC controls, and the total implementation value for the asset group is the average of all cells in the table.
The above table exists for each asset group. This includes servers/apps, networking devices, end user systems, terminals, ICS/SCADA/OT, healthcare devices, onboard systems, critical IoT, non-critical IoT, offline media, and people.
CIS CSC Achievement without PCI DSS
After entering your implementation details for the CIS CSC v8 framework, your implementation values will be allocated across all applicable asset groups. Please see table below for the server/apps asset group:
Please Notice: The value you specified for each CIS CSC v8 control is applied the same across the all 10 threat categories.
CIS CSC Achievement with PCI DSS
After entering your implementation details for the CIS CSC v8 framework and specifying PCI DSS certification, your implementation values will be allocated across all applicable asset groups. However, where there is an overlap with PCI DSS the max value will be applied. Please see table below for the server/apps asset group:
Please Notice: Within the PoS Intrusion and Skimmers columns, the implementation value is derived by taking the max value between PCI DSS and the CIS CSC v8 inputs.
In Summary
If you have PCI records and point of sale assets, then you may select that you are PCI DSS certified. If you are PCI DSS certified, then your profile will inherit the benefit of PCI DSS certification within the PoS Intrusion and Skimmers threat categories. In both threat categories, you will only inherit the benefit of PCI DSS certification if the PCI DSS certification value is better than your specific CIS CSC v8 control value.
If you have additional questions, please contact your Customer Success Team Member.
Comentários