Identifying Assets, Threats, and Vulnerabilities
Performing a Risk Assessment
Risk assessments are foundational to a robust information security program. There are industry-standard risk assessment methodologies such as OCTAVE, FMEA, or NIST SP 800-30 that you can utilize to set a baseline for your risk assessments. PCI Requirement 12.2 stipulates three requirements for a compliant risk assessment process:
- It’s performed at least annually or after any significant changes.
- It identifies critical assets, threats, and vulnerabilities.
- It results in a formal, documented analysis of risk.
How does this translate to your AWS environment? During your risk assessment, you need to evaluate the security and configurations of elements like S3 buckets, KMS, MFA, etc. AWS services such as Inspector, GuardDuty, Macie, Shield, and Security Hub can also support an automated risk assessment process.
Transcription
Everything we do in audit is about risk. PCI Requirement 12.2 is about a risk assessment. Risk assessments are not just sitting down and stipulating if things are good or bad. There is more to it than that. There are industry-accepted or common frameworks that you would use to perform your risk assessment. Things like NIST, ISO 27001, Failure Mode and Effects Analysis (FMEA), or even OCTAVE, which was developed by Carnegie. Once you have those, it gets a little more particular. PCI Requirement 12.2 actually says it needs to be performed annually, which is kind of a given, or upon any significant changes to your network. If you are putting it in AWS parlance, then moving it from one VPC to another may not do it, but moving one VPC into a Lambda set up could be considered a significant change.
Your risk assessment has to identify assets, threats, and the vulnerability to those threats. Sometimes this can get murky, but if you are looking at AWS, then you are looking at the security on your S3 buckets, key management, or multi-factor authentication. Those kinds of things have a significant impact on your overall risk profile for your AWS environment. While there may not be a specific tool in AWS, your risk assessment counts everywhere. Remember that when you are developing your risk assessment for PCI DSS, it needs to be based on a formal foundation and industry-recognized standard and it needs to cover risks, threats, and vulnerabilities relative to the asset within the system. All of this is relative to how we transport, process, secure, and store cardholder data.
Related Videos
A Typical Journey with Risk
Create an Assessment Together
Creating Unity Through Risk Assessment
Definitions for Risk Assessment Components
How Much Time Does An Assessment Take?
How Often Should We Assess Risk
Just start!
PCI Requirement 12.2 – Implement a Risk Assessment Process
Partner with a Risk Assessment Expert
Preparing for a Risk Assessment
Register for a Risk Assessment Workshop
Risk Assessment Obstacles
Risk Assessment Policy
Risk Assessment Requirements
SOC 2 Academy - How to Manage Risks
SOC 2 Academy - What Types of Risks Does Your Organization Face?
SOC 2 Academy: Assessing Changes Within Your Organization
SOC 2 Academy: Assessing the Significance of Risk
SOC 2 Academy: How Fraud Can Impact Risk
SOC 2 Academy: Risks from Business Partners
SOC 2 Academy: Using a Risk Assessment
SOC 2 Academy: Who Should Make Updates to Your Risk Assessment?
Should I Share Our Risk Assessment
Six Types of Risk
Tips for Getting Started with Risk Assessment
What Are The Steps to Risk Assessment
What Is the Process for Risk Assessment
What Risk Assessment Documentation is Necessary
What Should Be Included in Your Risk Assessment
Who Should Be Involved in the Assessment
Who is Involved in a Risk Assessment
