Discussion and Analysis of Cyber Assessment Framework (CAF) and its Mapping on PCI-DSS

(originally written for the University of Liverpool)

The UK's Cyber Assessment Framework (CAF) provides a structured method for managing cyber risks in essential functions. Developed by the National Cyber Security Centre (NCSC), CAF is designed for organisations to assess and enhance their cybersecurity practices. This analysis focuses on CAF principles and compares them with the Payment Card Industry Data Security Standard (PCI-DSS), particularly in the areas of identity and access control, data security, and system security.

Identity and Access Control

CAF’s principle on Identity and Access Control (Principle B2) emphasises the importance of regularly reviewing access rights, particularly for privileged users. However, it lacks detailed prescriptive guidance, such as password complexity rules or multi-factor authentication (MFA), increasingly essential in addressing modern threats (NIST, 2020).

Conversely, PCI-DSS mandates stringent identity and access control measures under Requirement 8, including the implementation of MFA for accessing system components that handle cardholder data. While PCI-DSS’s approach ensures consistency, it may impose a significant operational burden on SME organisations (Uddin et al., 2020).

Data Security

CAF’s principle concerning Data Security (Principle B3) requires protection against unauthorised access and alteration, offering flexibility in how this is achieved. This flexibility can lead to varied interpretations and inconsistent security measures. PCI-DSS, in contrast, is highly prescriptive, mandating specific encryption standards and data masking for the protection of cardholder data, ensuring uniform standards across organisations.

However, a significant weakness shared by both CAF and PCI-DSS is their snapshot-based approach, which assesses security at specific points in time rather than continuously. This can lead to an unpredictable security posture between audits. ISO 27001, by contrast, offers a process-based approach that focuses on continuous improvement and monitoring, providing a more dynamic and adaptive method for managing security risks.

System Security

CAF’s principle on System Security (Principle B4) requires organisations to protect critical systems from cyber threats, but its flexibility may lead to inconsistent application of security controls. PCI-DSS is more rigid, demanding specific controls such as maintaining secure network architecture and annual security testing. While this prescriptive approach provides clear guidance, it may lack the adaptability required for different sectors.

Both frameworks also face challenges in addressing emerging threats, such as those posed by AI. The PCI Security Standards Council (2024b) highlights potential risks AI poses, including automated attacks and the misuse of AI in fraud detection. Neither CAF nor PCI-DSS currently provides comprehensive guidance on mitigating AI-specific risks, leaving organisations vulnerable to these evolving threats.

Conclusion

Integrating the principles of CAF with the prescriptive controls of PCI-DSS could offer a balanced approach to cybersecurity, combining adaptability with consistent security standards. However, the snapshot-based nature of both frameworks, coupled with emerging AI threats, suggests that additional measures, such as adopting process-based approaches like ISO 27001 and the CHERI trustworthiness principles (Neumann, 2018), may be necessary to ensure a robust and dynamic security posture. Additionally, aligning with regulations like the Network and Information Systems Regulations 2018 and the Data Protection Act 2018 will support the implementation of these frameworks in the UK context.

?

References

International Organization for Standardization (2022). ISO/IEC 27001 - Information security management. Available at: https://www.iso.org/standard/27001 (Accessed: 17 August 2024).

MITRE (2024). MITRE ATT&CK Framework. Available at: https://attack.mitre.org/.

Neumann, P.G. (2018) 'Fundamental Trustworthiness Principles in CHERI', in Shrobe, H., Smith, D. and Feigenbaum, J. (eds.) New Solutions for Cybersecurity. Cambridge, MA: MIT Press, pp. 201-231. Available at: https://ebookcentral.proquest.com/lib/liverpool/detail.action?docID=5240456 (Accessed: 17 August 2024).

NIST (2020). NIST Special Publication 800-63B: Digital Identity Guidelines. Washington, DC: NIST.

PCI Security Standards Council (2024a). Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures Version 4.0.1. Wakefield, MA: PCI SSC.

PCI Security Standards Council (2024b). AI and Payments: Exploring Pitfalls and Potential Security Risks. Available at: https://blog.pcisecuritystandards.org/ai-and-payments-exploring-pitfalls-and-potential-security-risks (Accessed: 17 August 2024).

Uddin, M.H., Ali, M.H., and Hassan, M.K. (2020) ‘Cybersecurity hazards and financial system vulnerability’, Risk Management, 22(1), pp. 239–309.

NCSC (2024). Cyber Assessment Framework V3.2. London: NCSC.

UK Government (2018). The Network and Information Systems Regulations 2018. London: The Stationery Office.

UK Parliament (2018). Data Protection Act 2018. London: The Stationery Office.

?