Threat Level: green Handler on Duty: Yee Ching Tok

SANS ISC: Risk Assessment Reloaded (thanks PCI ! ) - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Risk Assessment Reloaded (thanks PCI ! )

Last month was Cyber-Security Awareness Month, and we had some fun presenting a different security standard each day.  One of the standards we discussed was the ISO 27005 standard for Risk Assessment ( ).  So when the PCI Council released Risk Assessment Guideance this past week, it immediately caught my attention.

You can find the document here ==>

After a few days to read it, I'm impressed.  They didn't try to invent a new Risk Assessment framework, instead, they refer to and borrow from OCTAVE, ISO 27005 and NIST SP 800-30.

This approach has a couple of big advantages:

  • Everyone who is already doing Risk Assessment, and is basing their approach on one of the major methodolgies, is already PCI compliant for Risk Assessment
  • If any of the "root" standards is updated, the PCI guidance for Risk Assessment doesn't need a corresponding update

That being said, the document is a good read - it's essentially a quick course in "mom and apple pie" Risk Assessment.  So for anyone who already has a program, it's a nice review on a Friday afternoon (yes, I did say that!).  But there are a boatload of large corporations who insist that they "mitigate" or "eliminate" risk, but don't actually have a written RA methodology or a formal RA program.  I'm hoping that with a PCI document on the table, this will have a positive impact on organizations in this situation.

Happy reading everyone!

Rob VandenBrink

Rob VandenBrink

577 Posts
ISC Handler
Nov 23rd 2012

Sign Up for Free or Log In to start participating in the conversation!