Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

  • 3,287 views
Uploaded on

Webinar Excerpts: How to do a formal Risk Assessment as per PCI Requirement 12.1.2

Webinar Excerpts: How to do a formal Risk Assessment as per PCI Requirement 12.1.2

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
3,287
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
81
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Risk Assessment for PCI 12.1.2 How To Do A Formal RiskAssessment as per PCI Requirement 12.1.2 (Version 2.0) SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries. SISA Information Security is part of SISA Worldwide smart-ra.com
  • 2. Agenda• Understand Requirement 12.1.2 of PCI (Version 2.0)• Overview of the Methodologies – ISO 27005, OCTAVE and NIST SP 800-30• How to do a formal Risk Assessment as per 12.1.2 of PCI• Case Study Walkthrough smart-ra.com
  • 3. Requirement 12.1.2 Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology. “Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.)” smart-ra.com
  • 4. What is a Formal, StructuredMethodology? • Formal => A measurable and comparable methodology • Structured => following a defined and approved process. • PCI 2.0 names the following risk assessment methodologies: - ISO 27005 - NIST SP 800-30 - OCTAVE smart-ra.com
  • 5. ISO 27005 Source: ISO 27005 Risk Management Standard smart-ra.com
  • 6. OCTAVE Source: OCTAVE Risk Assessment Methodology smart-ra.com
  • 7. NIST SP 800-30 Source: Risk Management Guide for IT Systems - NIST smart-ra.com
  • 8. Common Risk Assessment Flow General Description of Scope ISRA Asset Risk Analysis: Risk Threat Identification Vulnerabilities Risk Analysis: Risk Risk Profiling Estimation and Evaluation Risk Treatment Plan Risk Treatment Results Documentation smart-ra.com
  • 9. Scope Scope Asset Threat Physical Location – building, room, etc. Vulnerabilities Data Center Business Process Risk Profiling Business Division Risk Treatment PlanResults Documentation smart-ra.com
  • 10. Asset Review Scope Asset Cardholder Data Sensitive Authentication Threat Data IVR Vulnerabilities Web Payments (Merchants) Risk Profiling Customer Services – Call Centers Risk Treatment Plan Results Documentation smart-ra.com
  • 11. Threat Review Scope Asset Hacker exploits insecure Threat communication channels to POS Theft /destruction of Vulnerabilities media or documents Corruption of data Risk Profiling CSRF Attack Risk Treatment Plan Results Documentation smart-ra.com
  • 12. Vulnerability Review Scope Employee Disclosure Sensitive authentication data is Asset stored unencrypted No quarterly review of firewall rules XSS Vulnerability Threat Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 13. Risk Profiling Scope Risk Score = f( Asset Value, LHOT, LOV) Asset •Calculated after taking Risk Evaluation and Risk Acceptance Threat Criteria into account Revised Risk Score = Risk Score Vulnerabilities after •Evaluating Existing Controls •Applying New Controls Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 14. Risk Treatment Plan Scope Treat/Tolerate/Terminate/Transfer Asset Take Action if Treat/Transfer Threat  Take Approval if Tolerate/Terminate Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 15. Results Documentation Scope  Document A-T-V Combination Asset with the associated Risk  Calculation of Risk Threat  RTP Vulnerabilities  Action Taken Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 16. Case Study • Company Background – Wise Bank • PCI Related Environment – Payment Channels include: i. Online store ii. Retail outlets iii. Self service kiosks iv. Payments over mobile v. Drop Boxes vi. Call Center smart-ra.com
  • 17. Example for 1 ‘A-T-V’ Asset Name Threats Vulnerabilities Risk Online Payment Insider Sniffing App Server to High Process the traffic Database Server is in clear. Supporting Threat Properties Assets: Insider – Apache Web Deliberate Server LOV: Medium High EOS App Server LHOT: High Oracle 10G DB RTP Action Treat Use OpenSSL to encrypt traffic from App Server to Database Server smart-ra.com
  • 18. Results Documentation Source : SMART-RA for PCI (v4.8.2) smart-ra.com
  • 19. Questions? • Join IS-RA Group on Linkedin. • Personal Edition of SMART-RA is free. Sign up on smart-ra.com Dharshan (Dash) Email: dbs@sisa.co.in smart-ra.com