Incident Response for PCI DSS and FFIEC Cybersecurity Assessments

Click here to listen to this article via the BreachRx Blogcast

Incident response is a crucial aspect of cybersecurity and is essential in ensuring the protection of customers’ and organizations’ personal and sensitive information. The Payment Card Industry Data Security Standard (PCI DSS) and Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool are two commonly used frameworks that financial organizations and their suppliers are assessed by and can use to manage their cybersecurity risk.

Both PCI DSS and the FFIEC Assessment Tool are essential tools organizations can use when looking to ensure they’ve implemented best-in-class cybersecurity incident response programs. While both frameworks cover incident response, they differ in their scope, level of detail, and approach. Organizations can use these frameworks to assess their cybersecurity posture, identify areas for improvement, and enhance their incident response capabilities, as well as demonstrate their posture to assessors, regulators, and their customers.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) was created by the major credit card companies, including Visa, Mastercard, and American Express, to ensure the security of sensitive cardholder information. The standard includes 12 requirements that organizations must follow to maintain the security of cardholder data, with requirements ranging from the installation of basic network defenses to the protection of cardholder data during its transmission and storage. Compliance is verified through assessments performed by a qualified security assessor (QSA) or an internal security assessor (ISA). 

Section 12.10 of the PCI DSS deals specifically with incident response requirements, which organizations must follow to be compliant with the standard. These requirements are designed to ensure that organizations have the necessary procedures and processes in place to respond to security incidents, minimize the impact of these incidents, and restore normal operations as quickly as possible.

There are several key requirements in section 12.10 of the PCI DSS that organizations must follow for incident response. These include having an incident response plan in place, regularly testing the incident response plan to ensure its effectiveness, and maintaining a log of all security incidents. Organizations must also have procedures in place for identifying, containing, and eradicating security incidents, as well as procedures for preserving evidence for investigation purposes. In addition, organizations must have procedures in place for reporting security incidents to relevant authorities and stakeholders, as well as procedures for communicating with affected parties.

QSA and ISA assessments include a review of the organization’s systems and processes to ensure that the PCI DSS requirements are met. An assessor will perform an on-site assessment and an in-depth review of the organization’s security controls and processes, including network infrastructure and its defenses, access controls, data protection mechanisms to include encryption practices, and incident response procedures. The assessor will also review documentation and conduct vulnerability scans to identify any security weaknesses.

If the organization passes the assessment, they will receive a Report on Compliance (ROC) that attests to their compliance with the PCI DSS. The ROC is typically submitted annually to the acquiring bank or payment card brand. Organizations that fail the assessment will be given a list of remediation steps to address any deficiencies and will be required to re-assess their compliance once the deficiencies have been corrected.

By following these requirements, organizations can ensure the security of payment card data, minimize the risk of breaches, and restore normal operations as quickly as possible in the event of a security incident.

What are FFIEC Cybersecurity Assessments?

On the other hand, the FFIEC Cybersecurity Assessment Tool was developed by the Federal Financial Institutions Examination Council to assist financial institutions in evaluating their cybersecurity risks via a consistent framework, and for regulatory agencies to assess the overall cybersecurity posture of the financial sector. The tool includes a comprehensive set of questions and best practices to assess an organization’s cybersecurity posture and covers a wide range of topics, including network security, incident response, and cyber threat intelligence.

The Cybersecurity Assessment has five levels of maturity:

1. Baseline: compliance-driven objectives that meet minimum expectations along with management having reviewed and evaluated the guidance in place.
2. Evolving: formalized and documented procedures and policies beyond the minimum requirements, along with risk-driven objectives that cover not just customer data but also systems and assets.
3. Intermediate: detailed, formal processes and consistent controls that are validated, coupled with risk-management practices that are “integrated into business strategies.”
4. Advanced: integrated cybersecurity and risk-management practices and automation across the organization’s lines of business, with continuous improvement as a key element of the program. 
5. Innovative: innovation across all facets of people, processes, and technology for managing cyber risks, including developing new approaches via controls, tools,  information-sharing initiatives, and even predictive analyses.

The Assessment Tool is used by the regulatory agencies in the United States, such as by the Department of Treasury’s Office of the Comptroller of the Currency (OCC), to assess the cybersecurity risk management practices of financial institutions. The assessment level is verified through a self-assessment process, where the financial institution provides answers to a series of questions based on their cybersecurity practices and policies. The answers are then evaluated by the regulatory agency to determine the organization’s maturity level and identify any areas for improvement. The regulatory agency may also conduct on-site examinations or request additional information to validate the self-assessment results. 

One of the key components of the FFIEC Assessment Tool is section D5: Cyber Incident Management and Resilience. This section covers the requirements for incident response and cyber resilience, including the processes and procedures that financial institutions must have in place to respond to cyber incidents.

There are several key requirements included that financial institutions must follow for incident response. These include having an incident response plan in place, regularly testing the incident response plan to ensure its effectiveness, and having procedures in place for identifying and reporting cyber incidents. Financial institutions must also have processes in place for containing and mitigating the impact of cyber incidents, as well as procedures for eradicating the cause of the incident. Additionally, financial institutions must have procedures in place for preserving evidence for investigation purposes and for communicating with relevant stakeholders, including law enforcement and regulatory authorities.

The assessment also requires financial institutions to put processes in place for maintaining critical operations and services in the event of a cyber incident. This includes having redundancy and backup systems in place, as well as procedures for ensuring the availability of critical data and systems. Additionally, organizations must have processes in place for ensuring the security of critical data and systems during recovery, including procedures for restoring data and systems after a cyber incident.

By following these requirements, financial institutions can maintain the security and availability of their critical systems and data, minimize the risk of breaches and the impacts from future incidents, and restore normal operations as quickly as possible in the event a cyber incident occurs.

How can PCI DSS and the FFIEC Cybersecurity Assessment tool improve your incident response?

Both the PCI DSS and the FFIEC Assessment Tool have incident response as a critical component. Both require organizations to have effective incident response procedures in place, including planning, incident response management, testing, and incident notification and incident reporting processes. One of the key differences between the two frameworks is the scope of their coverage. The PCI DSS is primarily focused on the security of payment card data, while the FFIEC Assessment Tool covers a wider range of topics, including network security, information security, and cybersecurity risk management.

Another difference between the two frameworks is the level of detail they provide: the PCI DSS provides specific requirements and guidelines for securing payment card data, while the FFIEC Assessment Tool provides a comprehensive set of best practices that organizations can follow to improve their cybersecurity posture. The FFIEC Assessment Tool also includes a set of questions that organizations can use to assess their own current cybersecurity posture and identify areas for improvement, as opposed to being focused on external assessments like those of PCI DSS.

Both frameworks drive common best practices when it comes to incident response, including:

1. Identifying incidents: Organizations should have processes in place for identifying and reporting incidents, including cyber attacks, data exposure, and lost devices, from both employees and external parties.
2. Assessing Impact: Organizations should proactively analyze the potential impact of each incident, including the impact on business operations, finances, customers, and relevant regulations and directives.
3. Developing tailored action plans: Organizations should have response plans in place that are specific to the types of incidents and their potential impacts, tailored to their geography and industry, including specific tasks, timelines, and communication procedures.
4. Containing and eradicating incidents: Organizations should have procedures in place for containing and eradicating incidents, as well as preserving evidence for investigation purposes.
5. Maintaining an incident log and record: Organizations should maintain a log of the events during all incidents, including their identification, assessment, response, and resolution, ideally in a central system of record.
6. Communicating with relevant stakeholders: Organizations should have procedures in place for communicating with relevant stakeholders, including cyber insurers, law enforcement and regulatory authorities, as well as affected parties.
7. Regular testing and updating plans: Organizations should regularly test and update their incident response plan to ensure its effectiveness, including conducting tabletop exercises and simulated attacks.

Companies cannot claim to take a comprehensive approach without being proactive. Teams should look across the organization’s main stakeholders, including its suppliers, partners, insurers, and regulators, as well as its customers, to develop a set of action plans tailored to the specific types of incidents the organization will likely encounter. Technology is key to accomplishing this task, and companies with modern programs leverage automation to be more efficient and more rapidly fulfill their outside assessors’ and regulators’ higher standards. 

By complying with the full requirements of the PCI DSS and the FFIEC Cybersecurity Assessment Tool, organizations can use these frameworks to assess their incident response capabilities and improve their cybersecurity posture, ensuring they will be able to handle disruptive events, including cyber attacks of all kinds, and minimize their impact.