PCI Compliance on AWS: PCI Requirement 12.2
Performing a Risk Assessment
Risk assessments are foundational to a robust information security program. There are industry-standard risk assessment methodologies such as OCTAVE, FMEA, or NIST SP 800-30 that you can utilize to set a baseline for your risk assessments. PCI Requirement 12.2 stipulates three requirements for a compliant risk assessment process:
- It’s performed at least annually or after any significant changes.
- It identifies critical assets, threats, and vulnerabilities.
- It results in a formal, documented analysis of risk.
How does this translate to your AWS environment? During your risk assessment, you need to evaluate the security and configurations of elements like S3 buckets, KMS, MFA, etc. AWS services such as Inspector, GuardDuty, Macie, Shield, and Security Hub can also support an automated risk assessment process.
Everything we do in audit is about risk. PCI Requirement 12.2 is about a risk assessment. Risk assessments are not just sitting down and stipulating if things are good or bad. There is more to it than that. There are industry-accepted or common frameworks that you would use to perform your risk assessment. Things like NIST, ISO 27001, Failure Mode and Effects Analysis (FMEA), or even OCTAVE, which was developed by Carnegie. Once you have those, it gets a little more particular. PCI Requirement 12.2 actually says it needs to be performed annually, which is kind of a given, or upon any significant changes to your network. If you are putting it in AWS parlance, then moving it from one VPC to another may not do it, but moving one VPC into a Lambda set up could be considered a significant change.
Your risk assessment has to identify assets, threats, and the vulnerability to those threats. Sometimes this can get murky, but if you are looking at AWS, then you are looking at the security on your S3 buckets, key management, or multi-factor authentication. Those kinds of things have a significant impact on your overall risk profile for your AWS environment. While there may not be a specific tool in AWS, your risk assessment counts everywhere. Remember that when you are developing your risk assessment for PCI DSS, it needs to be based on a formal foundation and industry-recognized standard and it needs to cover risks, threats, and vulnerabilities relative to the asset within the system. All of this is relative to how we transport, process, secure, and store cardholder data.
New resources coming soon!