The Art Of Pci Compliance - Risk Assessment

The Payment Card Industry Data Security Standard (PCI DSS), is a set of comprehensive requirements for enhancing payment account data security. In other words, PCI provides a set of tactics to protect the confidentiality and integrity of data. Great place to start but its only part of the picture. Applying them appropriately requires situational awareness and knowledge of the companys core values and strategy.

This series explores Sun Tzus approach to assessing an armys readiness for battle as applied to compliance requirements in support of business strategies.

Assess the Risk

Regulations are not designed to handle the kinds of threats, the kinds of vulnerabilities, and the kinds of problems that organizations are facing today, said Edward Schwartz, CSO of NetWitness. He recommends that risk be assessed in the context of the processes that utilize the data being protected. Sun Tzu suggests a five-point risk assessment approach.

1) The Way - refers to the culture of an organization. A risk assessment must examine the impact of values and behavior on the overall security posture. The behaviors that are incentivized by management priorities must be considered; they may focus on business expediency at the expense of security.

2) The Weather refers to seasonal changes in organizational priorities. A risk assessment must take patterns of organizational behavior into account. This step in the process is facilitated by alliances with business stakeholders.

3) The Terrain refers to the competitive and technological landscape both within and outside the organization. Most security professionals are engaged to evaluate external threats. The internal landscape, however, presents greater issues, obstacles, and opportunities of which we must be aware. Organizations must understand the nature of the data stored, processed, and transmitted by their infrastructure. The scope of a PCI DSS assessment, for example, is determined by the distribution of cardholder data within the network.

4) The Leadership refers to those who promote the corporate goals and enable those goals through tactical and operational initiatives. We must assess what role those leaders will play in the PCI implementation and how they impact the overall risk posture. By understanding our end-client the business - you can architect a control strategy, and supporting tactics, that address risk while supporting management priorities.

5) The Discipline refers to the enforcement of security policies and procedures. A risk assessment must consider the human factors that enable threats.