Define "Risk Assessment"

[clintwilson]

The term "Risk Assessment" is used 4 times, but remains undefined as a term in any CA/BF document. We should introduce a definition for this term, especially because of its role in CAs maintaining the security of their CA systems.

[RufusJWB]

In the ETSI world, there are the following statements:

https://www.etsi.org/deliver/etsi_en/319400_319499/319401/02.03.01_60/en_319401v020301p.pdf --> chapter 5 "Risk Assessment"

The TSP shall carry out a risk assessment to identify, analyse and evaluate trust service risks taking into account business and technical issues.

and

See ISO/IEC 27005:2011 [i.5] for guidance on information security risk management as part of an information security management system.

They could be the basis for a CA/B definition of a "Risk Assessment".

[CeloLtd]

Defining "Risk Assessment" is not a difficult task, but we have to make sure we address it from the CA/Browsers perspective, and that includes the definition of "Risk" as well. As a start point (and for reference) I would recommend the PCI DSS Risk Assessment Guidelines document, where this subject is covered thoroughly. "A risk assessment is a formal process used by organizations to identify threats and vulnerabilities that could negatively impact the security of_ ..." - https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf

[barrini]

Move to the Definitions WG