Risk, Risk Assessments and PCI DSS
We all know what risk is. It’s like stepping outside of the house in the morning, looking up at the sky, working out whether or not you think it’s going to rain and then working out whether or not it’s going to rain enough to warrant taking an umbrella, full waterproofs or avoiding the rain altogether and staying at home.
Risk is simple. Being able to take calculated risks might burn up a few more neurons, and applying our innate risk assessment ability to business should in theory be easy too, right?
According to a recent presentation by a well known acquiring bank and QSA, risk is a hugely complex thing that only scientists understand, but rest assured, you can buy their cloud-based risk management software that takes away this complexity and buries intricate risk assessment algorithms beneath a nice shiny GUI.
What was that algorithm again? Let me check…
Risk = Probability x Impact
Hopefully you don’t need the backing of a Cambridge Research Laboratory to help you get that.
As you all might expect, with the fast forwarding of Risk Assessment to Milestone 1 of PCI DSS, vendors are jumping on the bandwagon and forcing GRC products down our throats, without any real understanding of our unique risk environments.
You can never expect to have a mature risk management framework from the go. They all need a starting point, and if you’re going through PCI DSS for the first time, then QSAs are not expecting you to have a highly developed, mature framework in order to tick the box.
I quite liked the ICO’s own internal approach, there’s a Risk Management Policy and Procedure section in their vast array of policy documents:
Which takes an easy to understand approach, uses 5 categories of probability, 5 categories of impact and a resulting 5×5 traffic light matrix that hopefully even your CEO would understand.
..and it’s exactly that. Working out risks and articulating them in a manner that everyone can understand, preferably a risk register on a sheet of A4 paper that board members can read in between rounds of golf or over champagne and canapes, or whatever you think they get up to.
If things are starting to look complex, people are falling asleep or things just don’t look right, then things are going wrong.
Keep risk management simple.