[PCI DSS 1.x] 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a for

pcinetwork · March 18, 2007, 7:36am

12.1.2 Verify that the information security policy includes an annual risk assessment process that identifies threats, vulnerabilities, and results in a formal risk assessment

Trevor_Vaughan · October 16, 2007, 3:33pm

Hi,

What are the latest views on the RISK process for PCI, we are a small org of less than 50 and do not store cardholder data, what risk process should we be looking to develop.

Roger_Nebel · December 5, 2007, 3:50pm

For your organization it may be as simple as reviewing the state of your security posture against the SANS Top 20, reviewing your quarterly vulnerability scan results and your annual pen test results, and remediating any issues. You say you don’t store any data - how do you know that? Many times the data is stored in log files that no one knew about.

vincent · January 27, 2014, 8:45pm

In PCI-DSS v3.0, a formal risk assessment is to be done in particular for 10.6 (logs). Does it mean that all systems could require logs even if they are outside of the PCI scope?

MarkPhorm · February 5, 2014, 11:07am

PCI DSS 3.0 #10.6.2 just says that your company should review logs in a general manners, not just CDE critical systems logs.

It is a kind a general recommendation.

What is said about the risk assessment is : logs that should be reviewed and review frequency should be defined by the risk assessment. In other words :

Once a year, think with expert about which logs should be interesting to be sometime reviewed for security reasons…

Hope this clarify.