Last month was Cyber-Security Awareness Month, and we had some fun presenting a different security standard each day. One of the standards we discussed was the ISO 27005 standard for Risk Assessment ( https://isc.sans.edu/diary.html?storyid=14332 ). So when the PCI Council released Risk Assessment Guideance this past week, it immediately caught my attention. You can find the document here ==> https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf After a few days to read it, I'm impressed. They didn't try to invent a new Risk Assessment framework, instead, they refer to and borrow from OCTAVE, ISO 27005 and NIST SP 800-30. This approach has a couple of big advantages:
That being said, the document is a good read - it's essentially a quick course in "mom and apple pie" Risk Assessment. So for anyone who already has a program, it's a nice review on a Friday afternoon (yes, I did say that!). But there are a boatload of large corporations who insist that they "mitigate" or "eliminate" risk, but don't actually have a written RA methodology or a formal RA program. I'm hoping that with a PCI document on the table, this will have a positive impact on organizations in this situation. Happy reading everyone!
=============== |
Rob VandenBrink 557 Posts ISC Handler Nov 23rd 2012 |
Thread locked Subscribe |
Nov 23rd 2012 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!