What is a Risk Assessment?
Most information security frameworks require a formally documented, annual risk assessment, and the PCI DSS is no different. PCI Requirement 12.2 focuses on risk assessments. We recommend that you implement a risk assessment process that is based off an industry best practices, but PCI Requirement 12.2 states that you should implement a risk assessment process that includes the following characteristics:
- Performed annually or after significant changes
- Identifies critical assets, threats, and vulnerabilities
- Results in a formal, documented analysis of risk
A risk assessment is a methodology used to identify, assess, and prioritize organizational risk. Without a risk assessment, organizations can be left unaware of where their critical assets live and what the risks to those assets are. Risk assessments evaluate the likelihood and impact of those threats actually happening, and give you an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack. We recommend that you implement a risk assessment process that includes:
- Conducting a risk assessment survey
- Identifying risks
- Assessing risk importance and likelihood
- Creating a risk management action plan
- Implementing your risk management plan
Performing risk assessments annually allows your organization to establish a proactive security measure. This measure will keep you up-to-date with evolving threats.
PCI Requirement 12.2 talks about having a risk assessment program and that this risk assessment program documents all of the risk within your environment. This is one requirement that most organizations truly struggle with. What I would recommend is that, even if you think you are doing this well, take an opportunity to look at some of the NIST documentation. There are a lot of industry best practices out there around developing a risk management program. In fact, you are required to base yours off of an industry best practice. Understand that the output of this particular activity is a laundry list of things that might impact your environment from a negative perspective. The result of this is for you to risk rank those things and apply resources where you need to in order to reduce those risk levels down to an acceptable level. Your assessor should be asking you for your results of your risk program and all of your policies, procedures, and documentation subject to your risk assessment program.