{' '} {' '}
Limited time offer
SAVE % on your upgrade.

Page 1

Risk Assessment and Mitigation Tool PCI-DSS-FORM-12-4

Assessment Details Risk Assessment Title

[Short, descriptive title]

Risk Assessment Scope

[Describe the scope of the risk assessment e.g. location, process, assets] Context of Business Impact [Describe the general environment in which the analysis is Analysis carried out and internal and external factors affecting it] Risk Acceptance Criteria Version

[Set out the factors which will make a risk acceptable and therefore not require mitigation] [Start at Version 1]

Dated

[Date the assessment was carried out]

Risk Assessors

[Name and title of person(s) carrying out the risk assessment]

Risk Assessment Participants Approval

[Names and titles of people contributing to the risk assessment] [Name and title of approver]

Date Approved

[Date the assessment was approved]


Cardholder Data Environment Risk Assessment Workbook Start with the risks that are felt to have the highest likelihood and impact combination first RISK DESCRIPTION Ref Cardholder Data Vulnerability Threat Environment Asset 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

PRE-MITIGATION Risk Risk Description Owner

Note – not all columns are shown.

MITIGATION

Existing Likelihood Likelihood Impact controls rationale Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…

Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…

Impact Risk score rationale Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated

Risk level

Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated Calculated

Mitigation Proposed Mitigation option control cost chosen Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select… Select…


Examples of Threats The following is a standard list of typical threats that may be use as guidance for your risk assessment. THREAT CATEGORY

THREAT

EXAMPLE

Human

Malicious outsider

Someone launches a denial of service attack on your cloud service platform An employee or trusted third party accesses cardholder data in an unauthorised manner from inside your network One or more people with key skills or knowledge are unavailable perhaps due to extended sickness An employee accidentally deletes cardholder data A manager loses a memory stick with cardholder data on it

Malicious insider Loss of key personnel Human error Accidental loss Natural

Fire Flood Severe weather Earthquake Lightning

Technical

Hardware failure Software failure Virus/Malicious code

Physical

Sabotage Theft Arson

Environmental

Hazardous waste Power failure Gas supply failure

Operational

Process error

Crime scene

Your data centre burns down due to an electrical fault The nearby river breaks its banks and your main office is severely flooded Non-one can get into the office due to the weather The area of your main data centre is affected by an earth tremor that damages all your servers All your servers are fried by a lightning strike on the data centre building A key physical server has a processor failure Your financial system processes invoices incorrectly due to a bug A virus spreads throughout your network preventing access to your (and your customers') data A disgruntled ex-employee takes an axe to your server room You come in on Monday morning to find some important drives have been stolen Someone with a grudge against your organisation starts a fire during the night A lorry carrying hazardous waste has an accident outside your office The sub-station supplying your area has a meltdown There is a suspected leak and all supplies are turned off Your new data transfer procedure doesn't cater for unexpected circumstances and cardholder data is lost or sent to the wrong destination A crime happens in or near your office and the area is sealed off by police


Likelihood This table should be used to decide upon the most appropriate likelihood for a particular threat. LIKELIHOOD DESCRIPTION

SUMMARY

1

Improbable

2 3

Unlikely Likely

Has never happened before and there is no reason to think it is any more likely now There is a possibility that it could happen, but it probably won't On balance, the risk is more likely to happen than not

4

Very Likely

5

Almost certain

It would be a surprise if the risk did not occur either based on past frequency or current circumstances Either already happens regularly or there is some reason to believe it is virtually imminent


Impact This table should be used as guidance to help to decide upon the correct impact rating for a particular threat. IMPACT LEVEL

IMPACT AREAS

Impact General Impact on product or rating description service quality

Impact on financial viability

Impact on staff or public well-being

Damage to reputation

Impact of breaching legal or Environmental damage regulatory requirements

1

Negligible

No effect

Very little or none

No adverse comment

No implications

2

Slight

Some

Localised discontent

Small risk of not meeting compliance

3

Moderate

4

High

Some local disturbance to normal business operations Can still deliver product/service with some difficulty Business is crippled in key areas

Very small additional risk Within acceptable limits

5

Very High

Out of business; no service to customers

Negligible

Small, very local impact that can be managed and corrected Unwelcome but could Elevated risk requiring Some internal and In definite danger of Impact restricted be borne immediate attention external criticism operating illegally geographically and can be corrected quickly Severe effect on Significant danger to A severe test of Operating illegally in some Geographically wide impact income and/or profit life customer loyalty areas area with a degree of cleanup possible over time Crippling; the Real or strong potential Trust in organization is Severe fines and possible Catastrophic impact organisation will go out loss of life irreparably damaged imprisonment of staff affecting the environment of business badly over a wide area


Classification of Risk Level The chart below shows the rating scheme used to determine risk level based on a combination of likelihood and impact. RISK SCORE 5 HIGH 4

Risk Likelihood

MEDIUM

3

2 LOW 1

1

2

3

Risk Impact

4

5

Profile for CertiKit Limited

PCI-DSS-FORM-12-4 Risk Assessment and Mitigation Tool  

PCI-DSS-FORM-12-4 Risk Assessment and Mitigation Tool  

Profile for public-it