SISA's Webinar on New Guidelines from PCI Council on Risk Assessment
Upcoming SlideShare
Loading in...5
×
 

SISA's Webinar on New Guidelines from PCI Council on Risk Assessment

on

  • 419 views

Excellent response to SISA's webinar on the "New Risk Assessment Guidelines issued by the PCI Council". Yet another delivery by Dharshan Shanthamurthy showcasing outstanding depth of subject matter ...

Excellent response to SISA's webinar on the "New Risk Assessment Guidelines issued by the PCI Council". Yet another delivery by Dharshan Shanthamurthy showcasing outstanding depth of subject matter knowledge.
SISA Training Calendar : http://www.sisainfosec.com/site/page/17/48

Statistics

Views

Total Views
419
Views on SlideShare
419
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SISA's Webinar on New Guidelines from PCI Council on Risk Assessment SISA's Webinar on New Guidelines from PCI Council on Risk Assessment Presentation Transcript

  • SISA Monthly Webinar – January 2013 www.sisainfosec.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Housekeeping • Questions are welcome at all times during the webinar. • Please type into the chat window. Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • IntroductionsPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • About SISACustomers in 25 CountriesServices – Training –Products•SISA Information Security Inc., Americas•SISA Information Security Pvt Ltd, Asia•SISA Information Security WLL, EMEAOur customers are some of the world’s biggest Banks,Merchants, IT, BPOs and Telecoms Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • About SISA Consulting Training Products •CPISI – PCI DSS PCI DSS Implementation •SMART-RA.COM – Formal •PCI QSA Validation Services Risk Assessment tool (PCI-DSS) •CISRA – Risk Assessment •PCI ASV Scanning Services Implementation (PCI-DSS) •PCI Assurance Services (SAQ) •OCTAVE (SEI-CMU) Security PA DSS Risk Assessment Workshop •PA QSA Validation Services (PA-DSS) •ISO 27001 Implementation Advisory Workshop •Risk Assessment (IS-RA) •Privacy and Standards •Business Continuity Compliance (ISO 27001, Management Workshop GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Secure Coding in Dot-Net •Application Pen Test and Code Review •Awareness Sessions •Network VA and Pen Test •Forensics Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • About Dharshan DHARSHAN SHANTHAMURTHY • CEO, SISA Information Security • Proposer and Lead - Special Interest Group on Risk Assessment with the PCI Council • Dharshan has been a lead trainer for over 125 information security workshops on varied topics including, Data Protection, Compliance, Risk Assessment and Application Security • Dharshan has been an evangelist of formal risk assessment and has developed a free formal risk assessment tool www.smart- ra.com. • Linkedin: http://www.linkedin.com/in/dharshanshanthamurthy Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • SISA and the RiskAssessment SIG • Special Interest Groups (SIG) at the PCI Council • SISA’s role in the Risk Assessment SIG • Drafting the Risk Assessment Guidelines Document Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Intent of the GuidelinesDocument • Objective – Supplementary Guidance for Requirement 12.1.2 – Does not replace any PCI DSS requirement • Target Audience – Any organization that stores, processes, transmits CHD – Eg. Merchants, Service Providers, Banks, Issuers Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Risk Assessment and PCI CompliancePresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Understanding Risk Risk is a consideration Who of the who, how and why of things going wrong. • Who – Asset Risk • How – Threat • Why – Vulnerability Why How • Some Definitions • Risk = LHOT x Impact • Risk = f (AV, LHOT, LOV) Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Formal Risk Assessment • Formal: A measurable and comparable methodology • Structured: following a defined and approved process. • PCI DSS names the following: ISO 27005, NIST SP 800-30, OCTAVE Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Requirement 12.1.2 Requirement 12.1.2 mandates formal risk assessment on an annual basis. But •What is the actual intent behind this requirement? •Can risk assessment help simplify compliance? Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Benefits of RiskAssessment •Identify areas where stored CHD is not fundamental to PCI Scope business and can be removed Reduction •Segmentation of sensitive CDE from non-sensitive parts of the network Proactive •Keep pace with changing business environment and Threat identify new threats Identification •Make decisions on future resource investments Prioritized •Most critical risks are addressed first Mitigation Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Risk Assessment andthe Prioritized Approach • PCI DSS Prioritized Approach – A series of 6 Milestones to help organizations pursuing PCI compliance for the first time – Also relevant to PCI re-certifications, as business landscapes are subject to change over the year • Milestone 1 – a formal risk assessment process is to be implemented to identify threats and vulnerabilities Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Continuous RiskAssessment • Keep up with changing business landscape – New business processes, departments – Acquisitions and mergers – New ventures • Accurate Identification of Entities – Since data is appended to the RA as and when it is available, the identification phase of the RA is done accurately. Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • ImplementationPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Choosing the right RAMethodology • Widely Accepted ISO Methodology 27005 • Technology, People and Process RA NIST SP • Most suited for Technology RA 800 30 • Aligned with (Rev 1) Common Criteria • 8 processes • Most suited for OCTAVE process RA • Based on people’s knowledge Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Implementation: TeamBuilding Representatives from all departments • HR, Marketing, IT, Information Security, etc. Led by a person with knowledge on • PCI DSS • Risk assessment methodology used by the organization Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Implementation: RiskIdentificationContext Establishment• Organizational Hierarchy, business processes, CHD flow.Asset Identification• Asset Owner, Asset Value must be identified• All Payment Channels must be taken as assets Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Implementation: RiskIdentificationThreat Identification• Different Perspectives must be taken into account• Measurement: Capability, Intent, Relevance, Likelihood of Occurrence, Impact.Vulnerability Identification• Organizational Vulnerabilities: Policy-Procedure review• Technical Vulnerabilities: VA-PT, firewall rule review, secure code review Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Implementation: RiskProfiling Risk Treatment • Reduction Threat • Transference •Avoidance •Acceptance Asset Risk Evaluation •Quantitative •QualitativeVulner Riskability Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Third Party Risks• Third Parties may be Service providers, BPOs, Third Party Merchants, etc.• Eg. Application developers, Data center providers, Web hosting providers, etc.• Third Parties may • Introduce Risk • Manage Risk • Share Risk Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Reporting• Version History• Executive Summary Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Critical Success Factors • Correct Identification • Proactive Approach • Keep it Simple • Training Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Next Webinar • Practical Implementation of Formal Risk Assessment (for PCI, HIPAA, ISO 27001) (Based on the theoretical concepts covered in today’s webinar) • Date: 5th February, 2012 • 9:00 to 10:00 am PST Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • QuestionsPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • Thank YouPlease send us your feedback to praveen.v@sisainfosec.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com