*This section is adapted from the PCI DSS books.
The PCI DSS standard states it that it "comprises a minimum set of requirements for protecting account data" and implies that it may not be sufficient to ensure security. This claim is the reason for requirement 12.2 to implement a risk assessment process to ensure that all risks are identified, assessed and addressed. The standard provides examples of risk-assessment methodologies:
- OCTAVE: a methodology developed by the Software Engineering Institute (SEI) at Carnegie Mellon University (CMU)
- ISO/IEC 27005: a part of the ISO/IEC 27000 set of standards (including ISO/IEC 27002) that covers Information security risk management
- NIST SP 800-30: The Guide for Conducting Risk Assessments by the National Institute of Standards and Technology (NIST) aligns well with the other NIST 800 publications.
Still, any methodology that covers the following requirements should be adequate:
- Identifies critical assets, threats, and vulnerabilities (basically threat modeling)
- Results in a formal, documented analysis of risk
- Section 3.5.2 of Volume 3
- OCTAVE - Cyber Risk and Resilience Management
- ISO/IEC 27005 - Information security risk management
- Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments