Last month was Cyber-Security Awareness Month, and we had some fun presenting a different security standard each day.  One of the standards we discussed was the ISO 27005 standard for Risk Assessment ( https://isc.sans.edu/diary.html?storyid=14332 ).  So when the PCI Council released Risk Assessment Guideance this past week, it immediately caught my attention.

You can find the document here ==> https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

After a few days to read it, I'm impressed.  They didn't try to invent a new Risk Assessment framework, instead, they refer to and borrow from OCTAVE, ISO 27005 and NIST SP 800-30.

This approach has a couple of big advantages:

• Everyone who is already doing Risk Assessment, and is basing their approach on one of the major methodolgies, is already PCI compliant for Risk Assessment
• If any of the "root" standards is updated, the PCI guidance for Risk Assessment doesn't need a corresponding update

That being said, the document is a good read - it's essentially a quick course in "mom and apple pie" Risk Assessment.  So for anyone who already has a program, it's a nice review on a Friday afternoon (yes, I did say that!).  But there are a boatload of large corporations who insist that they "mitigate" or "eliminate" risk, but don't actually have a written RA methodology or a formal RA program.  I'm hoping that with a PCI document on the table, this will have a positive impact on organizations in this situation.

Happy reading everyone!

===============
Rob VandenBrink
Metafore