You know the story; if your systems/applications store transmit or process credit card data, you must meet PCI data security standards.
Since Q4 2010 all PCI shops are aware that their Cardholder Data Environments need a risk ranking procedure.
But, What is it and how does it change current practices?
PCI DSS Requirement 6.2 says "Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities"
And a new recommendation may certainly effect how you manage risk…
This recommendation (which will be a requirement by June 30, 2012) can be classified as Risk Management 101, and yet it may change several cornerstones of your processes.
Here is what 6.2.a is asking for:
1- Check your processes for identifying new security vulnerabilities (make sure you have one)
2- Assign risk ranking to identified vulnerabilities
6.2.b Continues with the recommendation that you use and outside source for this risk ranking process.
This translates into a solid scoring system for risk. Enterprise options to collect data for a scoring system are:
1- Vendor Security Alerts
2- Vulnerability Management Advisories (Usually security scanner, and IDS/IPS shops)
3- Vulnerability Intelligence Advisories (e.g. Secunia, iDefense, Deepsight)
4- Internal risk scoring systems (yes we all love academic endeavors - that is why PCI SSC asks for "outside" source : )
Either way (using one of the options, using some/all of them) PCI recommendation 6.2 will push risk management practices in the right direction and make risk prioritization a priority...Eventually PCI shops will (6/30/2012) integrate risk management with vulnerability scanning devices, security alerts, advisories and patch management solutions to audit and validate PCI 6.2 with risk rankings.
Here are a few good links:
Common Vulnerability Scoring System (CVSS-SIG) - http://www.first.org/cvss/
Common Vulnerabilities and Exposures -CVE - http://cve.mitre.org/
National Vulnerability Database - NVD - http://nvd.nist.gov/
Secunia - http://secunia.com/advisories/
Verisign iDefense - http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/index.xhtml
TippingPoint Zero Day Initiative ZDI - http://www.zerodayinitiative.com/advisories/upcoming/
Symanted DeepSight Alert Services - https://tms.symantec.com/
Cisco Security IntelliShield Alert Manager Service -http://www.cisco.com/en/US/products/ps6834/serv_group_home.html
IBM ISS XForce - http://www-935.ibm.com/services/us/iss/xforce/
McAfee Threat Intelligence Services (MTIS) - http://www.mcafee.com/us/mcafee-labs/technology/threat-intelligence-services.aspx
Bugtraq -http://seclists.org/bugtraq/
Full Disclosure - http://seclists.org/fulldisclosure/
p.s. I have written this article for RSA Conference