Organizations need to create a risk assessment methodology that works for their specific business environment, according to a new report by the Payment Card Industry Security Standards Council (PCI SSC).
When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate.
PCI Risk Assessment Special Interest Group
The report, PCI DSS Risk Assessment Guidelines Information Supplement(.pdf), was created by the PCI Risk Assessment Special Interest Group and released Nov. 16. The PCI SSC said more than 60 organizations representing banks, merchants, security assessors and technology vendors joined together to produce the guide, which is intended to help organizations understand how to identify, analyze and document the risks that may affect their Cardholder Data Environment (CDE).
A risk assessment team of individuals knowledgeable of the PCI Data Security Standard (PCI DSS) requirements is needed for companies to effectively conduct a thorough risk assessment. From there, a company specific methodology can be developed, according to the new recommendations.
"When developing their own risk assessment methodology, organizations may consider adapting an industry-standard methodology that is most appropriate for their particular culture and business climate, to ensure their particular risk objectives are met," the report read.
Typical components of a methodology include risk assessment, which entails context establishment, asset identification, threat identification and vulnerability identification; risk profiling, consisting of risk inventory, identifying existing controls and risk evaluation; and risk treatment and acceptance, consisting of, measuring and prioritizing risks, risk treatment and mitigation, residual risks and risk acceptance.
Companies that outsource business processes, obtain services, or have business relationships with third party merchants, service providers, or other entities need to consider the impact these relationships could have on the security of cardholder data.
"Third parties represent three major areas to consider for risk management: they may introduce risk, they may share risk, or they may manage risk," according to the report.
Some third parties companies should think about when considering shared risks include application developers, data-center providers, web-hosting providers and contractors.
After a risk assessment, there should be a report about the identified risks, particularly those that affect the cardholder data environment (CDE).
"The objective of the report would be to clearly articulate the various risks that concern the organization and may also explain the actions taken by the organization to remediate these risks," the report read.
Topics the report may contain include scopes of risk assessment, asset inventory, threats, vulnerabilities, risk evaluation, risk treatment, version history and executive summary.
According to the PCI guide, the critical success factors for proper risk assessment are identification, proactive approach, keeping it simple and training.
Founded in 2006, the PCI SSC is an open global forum that develops, manages, educates, and raises awareness for the PCI DSS and other standards that increase payment data security.