Using the NIST CSF as the focus, map HIPAA, PCI, and one other regulatory requirement that includes elements of IR/DR/BC into the following table (remember the key word searching). In the Summary Comments section, comment on deficiencies based on your opinion in any of the frameworks for the corresponding CSF subcategory.

CSF Subcategory	HIPAA Requirement	PCI DSS Requirement	X Requirement (Your choice)	Summary Comments
ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-4: Potential business impacts and likelihoods are identified
PR.AC-2: Physical access to assets is managed and protected
PR.IP-4: Backups of information are conducted, maintained, and tested
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
PR.IP-10: Response and recovery plans are tested
DE.CM-1: The network is monitored to detect potential cybersecurity events
RS.RP-1: Response plan is executed during or after an incident
RS.IM-1: Response plans incorporate lessons learned
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as executive and management teams

Answer rating: 100% (QA)

CSF Subcategory IDAM1 Physical devices and systems within the organization are inventoried HIPAA Requirement There is no specific HIPAA requirement that requires organizations to inventory their physi... View the full answer