Nov 19 2012

PCI view of Risk Assessment

Category: pci dss,Security Risk AssessmentDISC @ 11:02 pm
Information Security Wordle: PCI DSS v1.2 (try #2)

 

Organizations that need to comply with PCI-DSS need to create their own risk assessment methodology that works for their specific business needs, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).

PCI Risk Assessment Special Interest Group says When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.

 
Key recommendations include:
 
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner
 
• Risk assessments must not be used as a means of avoiding or bypassing applicable PCI DSS requirements (or related compensating controls)
 
• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization

PCI view of things: 

The announcement
https://www.pcisecuritystandards.org/pdfs/pr_121116_risk_sig.pdf

And the V1 document (also attached)
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

Below is my post on Risk management from prespective of ISO 27001 which has an Expert guidance on planning and implementing a risk assessment and protecting your business information

Information Security Risk Management for ISO 27001

Tags: International Organization for Standardization, ISO/IEC 27001, Methodology, Payment card industry, Payment Card Industry Data Security Standard, Risk Assessment, Risk management