A month ago, the PCI SSC announced the three new SIGs which will be introduced at the beginning of 2012. The following SIGs were elected out of a shortlist of seven topics:
- eCommerce Security
- Risk Assessment
The one that I am most interested in participating in and seeing the results of is the Risk Assessment SIG.
Although IT Risk Assessments has been a term that has been used for decades now, they are still rarely performed, and when they are, they are almost always performed poorly especially in regard to effectively considering threat.
Most times, especially within small to medium size businesses, the organization simply calculates risk based of the number and CVSS score of vulnerabilities associated with an application or system.
Certainly, this is a factor within the overall risk equation, but is not the only thing to consider. It will be interesting if this SIG guides organizations on how to perform an effective Risk Assessment, and further, if PCI DSS controls can be chosen based off this assessment.
If the latter is true, it will be interesting as to if the QSA can make an opinion as to the effectiveness of the Risk Assessment and the controls chosen. Basically, if the PCI SSC does adopt a more risk based approach to assessments, it could have both adverse and positive side effects.
Positive side effects are obvious, as the company can choose controls based off their Risk Assessment. This will make compliance easier as well as less costly for the subject organization.
However, if the Risk Assessment is performed poorly and the organization has chosen controls off a poor risk assessment approach, this could definitely be an issue. This would further be complicated if the QSA doesn’t really have any say as to what an effective Risk Assessment should be.
These are the same problems that plague ISO 27001 certification. ISO 27001 mainly determines whether or not an organization’s ISMS is operating in a manner consistent with how they say it is running.
However, it doesn’t take in consideration as to how they say they are running it is actually the secure way in which to do so. This is one of the shortcomings of ISO 27001 certification.
In summary, I’m all for a risk based approach to PCI if this is the direction the SSC and the member card brands decide to move in. It just needs to make sense and that the implementation of a risk based approach doesn’t actually lessen/weaken the security of an organizations cardholder environment.