Risk Assessment Reloaded (thanks PCI ! )
Last month was Cyber-Security Awareness Month, and we had some fun presenting a different security standard each day. One of the standards we discussed was the ISO 27005 standard for Risk Assessment ( https://isc.sans.edu/diary.html?storyid=14332 ). So when the PCI Council released Risk Assessment Guideance this past week, it immediately caught my attention.
You can find the document here ==> https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf
After a few days to read it, I'm impressed. They didn't try to invent a new Risk Assessment framework, instead, they refer to and borrow from OCTAVE, ISO 27005 and NIST SP 800-30.
This approach has a couple of big advantages:
- Everyone who is already doing Risk Assessment, and is basing their approach on one of the major methodolgies, is already PCI compliant for Risk Assessment
- If any of the "root" standards is updated, the PCI guidance for Risk Assessment doesn't need a corresponding update
That being said, the document is a good read - it's essentially a quick course in "mom and apple pie" Risk Assessment. So for anyone who already has a program, it's a nice review on a Friday afternoon (yes, I did say that!). But there are a boatload of large corporations who insist that they "mitigate" or "eliminate" risk, but don't actually have a written RA methodology or a formal RA program. I'm hoping that with a PCI document on the table, this will have a positive impact on organizations in this situation.
Happy reading everyone!
===============
Rob VandenBrink
Metafore
Comments