Get a big picture of your organization's IT security posture.
Requirement 12.2 in the PCI Data Security Standard calls for a process that results in a formal risk assessment. Conducting a PCI IT Risk Assessment is an ideal way to establish a complete picture of your organization’s overall security posture across administrative, physical, and technical safeguards. When conducted regularly (at least annually), an IT Risk Assessment can help to prevent breaches, reduce the impact of a breach if one occurs, and provide a clear roadmap to achieving compliance with PCI-DSS Risk Assessment Guidelines as well as any other relevant data security regulations and mandates. It is especially useful if your organization is subject to multiple compliance standards—such as the combination of PCI and HIPAA-HITECH.
The ControlScan PCI IT Risk Assessment process is tailored to your specific organization, environment and circumstances. The engagement begins with a senior consultant working closely with you and your team to identify and evaluate your most critical assets and functional areas. Each area or asset is assigned a criticality rating from low to high, which measures the impact that a malicious act, loss of data or damage to the area or asset would have on your organization's operations.
Next, each asset and area is individually assessed to identify threats and vulnerabilities that may impact the confidentiality, integrity or availability of that cataloged asset/area. During this phase of the process, ControlScan will also conduct a review of your organization's documented processes and procedures with PCI risk assessment tools. Interviews, sampling and various technical tests are conducted in order to gauge the breadth and scope of IT vulnerabilities and threats. In-place controls, such as network security devices, separation of duties, access controls and password policies are also assessed for adequacy and resiliency at this stage.
The final step in our IT Risk Assessment process involves analyzing information on threats and in-place controls to determine composite risk levels of each functional area. Areas of high risk may indicate that controls are not functioning properly, or that additional controls are needed to protect against identified threats. Areas of low risk may indicate that controls are functioning optimally, or that assessed areas had limited impact on the organization's information security posture or business operations.
Get a roadmap to a more secure and compliant environment.
The findings, conclusions and recommendations from the PCI IT Risk Assessment engagement are documented in a formal report, and the senior consultant reviews them with you in detail. During the review, next steps can be defined and prioritized as needed to improve the organizational security posture and advance compliance efforts.
Experts generally agree that performing an annual PCI IT Risk Assessment is one of the most important steps to improving both security and compliance. An IT Risk Assessment isn’t just a good idea—it’s an explicit requirement in nearly every compliance framework including the PCI DSS (Requirement 12.2) and HIPAA (Security Rule 164.308).