PCI-DSS and requirement of Risk Assessment have a very close relationship. In effect PCI-DSS has specified the requirement for an annual risk assessment as per the control 12.2 and has mentioned the requirement under guidance for requirement 10.6.2 and Testing Procedures for requirement 11.5.
PCI-DSS requirement 12.2 establishes the requirement for implementing a risk assessment process that:
- Is performed at least annually and upon significant changes to the environment (for example, acquisition, merger, relocation, etc.),
- Identifies critical assets, threats and vulnerabilities, and
- Results in formal risk assessment
Guidance to PCI-DSS requirement 10.6.2 – Logs for all other system components should also be periodically reviewed to identify indications of potential issues or attempts to gain access to sensitive systems via less-sensitive systems. The frequency of the reviews should be determined by an entity’s annual risk assessment.
Testing Procedures for 11.5 – Additional critical files determined by entity (for example, through risk assessment or other means).
When we analyze the requirement 12.2, it has though established the need to conduct annual risk assessment per set standards including NIST 800-53 and others, but it has not covered the overall efficiency led requirement for a risk assessment. The requirement as cited above states setting up a process that results in a formal risk assessment by the way of identifying the critical assets, threats and vulnerabilities, but shies out to specify the continuous monitoring of Threats as well as Risk Spectrum.
In the current scenario, if an organization has to pass a PCI audit, it would be easy to lay down the risk assessment process, conduct the risk assessment and then publish the risk assessment report. But in the real world, is that all that an organization would need to fend off the hackers? Certainly not!!
So what is needed for the organizations to step up to and for the PCI-DSS as a standard to emphasize? The answer is to extend the requirement 12.2 from a being a risk assessment requirement to a risk management program requirement. This would put emphasis on the requirement to cover the full circle from the time Threat and Risks are identified to the point that those are remediated / accepted.
PCI standards council should also look at introducing Risk based approach to select the Compensating Controls by the organizations. The completed ROC should be modified to include the outcome of Risk Management snapshot covering the reasons to not implement given control and selection of the Compensating control instead.
In the prioritized approach also, PCI Standards Council should assert highest priority to Risk Management.
On part of the organization impacted with the change in the requirements around Risk Assessment and Management, the focus should be on the composite Risk Management activities that they conduct at the organizational / enterprise level. The organizations need to understand that the silo approach to compliance never benefits their functioning, rather just increases the cost of managing compliances. If they would integrate the Risk Assessment as required by various standard and compliances, they would be able to harbor a better compliance assertion against each one of them with minimal set of controls and maximum cover.