SlideShare a Scribd company logo

Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

S
Smart Assessment

Webinar Excerpts: How to do a formal Risk Assessment as per PCI Requirement 12.1.2

Economy & FinanceBusiness
1 of 19
Download to read offline
Risk Assessment for PCI 12.1.2 How To Do A Formal Risk Assessment as per PCI Requirement 12.1.2 (Version 2.0) SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries. SISA Information Security is part of SISA Worldwide smart-ra.com
Agenda • Understand Requirement 12.1.2 of PCI (Version 2.0) • Overview of the Methodologies – ISO 27005, OCTAVE and NIST SP 800-30 • How to do a formal Risk Assessment as per 12.1.2 of PCI • Case Study Walkthrough smart-ra.com
Requirement 12.1.2 Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology. “Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.)” smart-ra.com
What is a Formal, Structured Methodology? • Formal => A measurable and comparable methodology • Structured => following a defined and approved process. • PCI 2.0 names the following risk assessment methodologies: - ISO 27005 - NIST SP 800-30 - OCTAVE smart-ra.com
ISO 27005 Source: ISO 27005 Risk Management Standard smart-ra.com
OCTAVE Source: OCTAVE Risk Assessment Methodology smart-ra.com
NIST SP 800-30 Source: Risk Management Guide for IT Systems - NIST smart-ra.com
Common Risk Assessment Flow General Description of Scope ISRA Asset Risk Analysis: Risk Threat Identification Vulnerabilities Risk Analysis: Risk Risk Profiling Estimation and Evaluation Risk Treatment Plan Risk Treatment Results Documentation smart-ra.com
Scope Scope Asset Threat Physical Location – building, room, etc. Vulnerabilities Data Center Business Process Risk Profiling Business Division Risk Treatment Plan Results Documentation smart-ra.com
Asset Review Scope Asset Cardholder Data Sensitive Authentication Threat Data IVR Vulnerabilities Web Payments (Merchants) Risk Profiling Customer Services – Call Centers Risk Treatment Plan Results Documentation smart-ra.com
Threat Review Scope Asset Hacker exploits insecure Threat communication channels to POS Theft /destruction of Vulnerabilities media or documents Corruption of data Risk Profiling CSRF Attack Risk Treatment Plan Results Documentation smart-ra.com
Vulnerability Review Scope Employee Disclosure Sensitive authentication data is Asset stored unencrypted No quarterly review of firewall rules XSS Vulnerability Threat Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
Risk Profiling Scope Risk Score = f( Asset Value, LHOT, LOV) Asset •Calculated after taking Risk Evaluation and Risk Acceptance Threat Criteria into account Revised Risk Score = Risk Score Vulnerabilities after •Evaluating Existing Controls •Applying New Controls Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
Risk Treatment Plan Scope Treat/Tolerate/Terminate/Transfer Asset Take Action if Treat/Transfer Threat  Take Approval if Tolerate/Terminate Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
Results Documentation Scope  Document A-T-V Combination Asset with the associated Risk  Calculation of Risk Threat  RTP Vulnerabilities  Action Taken Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
Case Study • Company Background – Wise Bank • PCI Related Environment – Payment Channels include: i. Online store ii. Retail outlets iii. Self service kiosks iv. Payments over mobile v. Drop Boxes vi. Call Center smart-ra.com
Example for 1 ‘A-T-V’ Asset Name Threats Vulnerabilities Risk Online Payment Insider Sniffing App Server to High Process the traffic Database Server is in clear. Supporting Threat Properties Assets: Insider – Apache Web Deliberate Server LOV: Medium High EOS App Server LHOT: High Oracle 10G DB RTP Action Treat Use OpenSSL to encrypt traffic from App Server to Database Server smart-ra.com
Results Documentation Source : SMART-RA for PCI (v4.8.2) smart-ra.com
Questions? • Join IS-RA Group on Linkedin. • Personal Edition of SMART-RA is free. Sign up on smart-ra.com Dharshan (Dash) Email: dbs@sisa.co.in smart-ra.com

Recommended

ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 

Recommended

ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk AssessmentSmart Assessment
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1Denise Tawwab
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsVidyalankar Institute of Technology
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber SecurityJohn Gilligan
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management Kishor Datta Gupta
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deckElaine Axum
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - CopyRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Cybersecurity Education and Research Centre
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
Ta Security
Ta SecurityTa Security
Ta Securityjothsna
 
TA security
TA securityTA security
TA securitykesavars
 

More Related Content

What's hot

Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management Kishor Datta Gupta
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Managementtschraider
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modelingsedukull
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 StandardTharindunuwan9
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy John Gilligan
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk AssessmentMichael Lines
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementRand W. Hirt
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deckElaine Axum
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management ProgramDennis Chaupis
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Cybersecurity Education and Research Centre
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...EC-Council
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 

What's hot (20)

Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDI
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 

Similar to Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Ta Security
Ta SecurityTa Security
Ta Securityjothsna
 
TA security
TA securityTA security
TA securitykesavars
 
Osprey Bank Risk
Osprey Bank RiskOsprey Bank Risk
Osprey Bank Riskpakelly
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalArrow ECS UK
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutionsakshayvreddy
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYjmical
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeDigital Defense Inc
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEAndris Soroka
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using HadoopDataWorks Summit
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringQ1 Labs
 
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp0224 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02Smals
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012Seema Sheth-Voss
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionPriyanka Aash
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 

Similar to Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2 (20)

Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
Osprey Bank Risk
Osprey Bank RiskOsprey Bank Risk
Osprey Bank Risk
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutions
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
Analisis de Riesgos O-ISM3
Analisis de Riesgos O-ISM3Analisis de Riesgos O-ISM3
Analisis de Riesgos O-ISM3
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp0224 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
 
Resume - Varsharani
Resume - VarsharaniResume - Varsharani
Resume - Varsharani
 
טכנולוגיות אבטחת מערכות מידע
טכנולוגיות אבטחת מערכות מידעטכנולוגיות אבטחת מערכות מידע
טכנולוגיות אבטחת מערכות מידע
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 

Recently uploaded

NO1 Certified Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Ami...
NO1 Certified Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Ami...NO1 Certified Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Ami...
NO1 Certified Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Ami...Amil baba
 
(办理学位证)美国加州州立大学东湾分校毕业证成绩单原版一比一
(办理学位证)美国加州州立大学东湾分校毕业证成绩单原版一比一(办理学位证)美国加州州立大学东湾分校毕业证成绩单原版一比一
(办理学位证)美国加州州立大学东湾分校毕业证成绩单原版一比一S SDS
 
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...amilabibi1
 
NO1 WorldWide Genuine vashikaran specialist Vashikaran baba near Lahore Vashi...
NO1 WorldWide Genuine vashikaran specialist Vashikaran baba near Lahore Vashi...NO1 WorldWide Genuine vashikaran specialist Vashikaran baba near Lahore Vashi...
NO1 WorldWide Genuine vashikaran specialist Vashikaran baba near Lahore Vashi...Amil baba
 
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170Sonam Pathan
 
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证rjrjkk
 
(办理原版一样)QUT毕业证昆士兰科技大学毕业证学位证留信学历认证成绩单补办
(办理原版一样)QUT毕业证昆士兰科技大学毕业证学位证留信学历认证成绩单补办(办理原版一样)QUT毕业证昆士兰科技大学毕业证学位证留信学历认证成绩单补办
(办理原版一样)QUT毕业证昆士兰科技大学毕业证学位证留信学历认证成绩单补办fqiuho152
 
Tenets of Physiocracy History of Economic
Tenets of Physiocracy History of EconomicTenets of Physiocracy History of Economic
Tenets of Physiocracy History of Economiccinemoviesu
 
NO1 Certified Ilam kala Jadu Specialist Expert In Bahawalpur, Sargodha, Sialk...
NO1 Certified Ilam kala Jadu Specialist Expert In Bahawalpur, Sargodha, Sialk...NO1 Certified Ilam kala Jadu Specialist Expert In Bahawalpur, Sargodha, Sialk...
NO1 Certified Ilam kala Jadu Specialist Expert In Bahawalpur, Sargodha, Sialk...Amil Baba Dawood bangali
 
(中央兰开夏大学毕业证学位证成绩单-案例)
(中央兰开夏大学毕业证学位证成绩单-案例)(中央兰开夏大学毕业证学位证成绩单-案例)
(中央兰开夏大学毕业证学位证成绩单-案例)twfkn8xj
 
The Core Functions of the Bangko Sentral ng Pilipinas
The Core Functions of the Bangko Sentral ng PilipinasThe Core Functions of the Bangko Sentral ng Pilipinas
The Core Functions of the Bangko Sentral ng PilipinasCherylouCamus
 
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证jdkhjh
 
NO1 WorldWide Love marriage specialist baba ji Amil Baba Kala ilam powerful v...
NO1 WorldWide Love marriage specialist baba ji Amil Baba Kala ilam powerful v...NO1 WorldWide Love marriage specialist baba ji Amil Baba Kala ilam powerful v...
NO1 WorldWide Love marriage specialist baba ji Amil Baba Kala ilam powerful v...Amil baba
 
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一S SDS
 
Governor Olli Rehn: Dialling back monetary restraint
Governor Olli Rehn: Dialling back monetary restraintGovernor Olli Rehn: Dialling back monetary restraint
Governor Olli Rehn: Dialling back monetary restraintSuomen Pankki
 
NO1 WorldWide online istikhara for love marriage vashikaran specialist love p...
NO1 WorldWide online istikhara for love marriage vashikaran specialist love p...NO1 WorldWide online istikhara for love marriage vashikaran specialist love p...
NO1 WorldWide online istikhara for love marriage vashikaran specialist love p...Amil Baba Dawood bangali
 
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...yordanosyohannes2
 
fca-bsps-decision-letter-redacted (1).pdf
fca-bsps-decision-letter-redacted (1).pdffca-bsps-decision-letter-redacted (1).pdf
fca-bsps-decision-letter-redacted (1).pdfHenry Tapper
 
House of Commons ; CDC schemes overview document
House of Commons ; CDC schemes overview documentHouse of Commons ; CDC schemes overview document
House of Commons ; CDC schemes overview documentHenry Tapper
 

Recently uploaded (20)

NO1 Certified Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Ami...
NO1 Certified Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Ami...NO1 Certified Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Ami...
NO1 Certified Amil Baba In Lahore Kala Jadu In Lahore Best Amil In Lahore Ami...
 
(办理学位证)美国加州州立大学东湾分校毕业证成绩单原版一比一
(办理学位证)美国加州州立大学东湾分校毕业证成绩单原版一比一(办理学位证)美国加州州立大学东湾分校毕业证成绩单原版一比一
(办理学位证)美国加州州立大学东湾分校毕业证成绩单原版一比一
 
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
Amil Baba In Pakistan amil baba in Lahore amil baba in Islamabad amil baba in...
 
NO1 WorldWide Genuine vashikaran specialist Vashikaran baba near Lahore Vashi...
NO1 WorldWide Genuine vashikaran specialist Vashikaran baba near Lahore Vashi...NO1 WorldWide Genuine vashikaran specialist Vashikaran baba near Lahore Vashi...
NO1 WorldWide Genuine vashikaran specialist Vashikaran baba near Lahore Vashi...
 
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
Call Girls Near Delhi Pride Hotel, New Delhi|9873777170
 
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
原版1:1复刻温哥华岛大学毕业证Vancouver毕业证留信学历认证
 
(办理原版一样)QUT毕业证昆士兰科技大学毕业证学位证留信学历认证成绩单补办
(办理原版一样)QUT毕业证昆士兰科技大学毕业证学位证留信学历认证成绩单补办(办理原版一样)QUT毕业证昆士兰科技大学毕业证学位证留信学历认证成绩单补办
(办理原版一样)QUT毕业证昆士兰科技大学毕业证学位证留信学历认证成绩单补办
 
Tenets of Physiocracy History of Economic
Tenets of Physiocracy History of EconomicTenets of Physiocracy History of Economic
Tenets of Physiocracy History of Economic
 
NO1 Certified Ilam kala Jadu Specialist Expert In Bahawalpur, Sargodha, Sialk...
NO1 Certified Ilam kala Jadu Specialist Expert In Bahawalpur, Sargodha, Sialk...NO1 Certified Ilam kala Jadu Specialist Expert In Bahawalpur, Sargodha, Sialk...
NO1 Certified Ilam kala Jadu Specialist Expert In Bahawalpur, Sargodha, Sialk...
 
(中央兰开夏大学毕业证学位证成绩单-案例)
(中央兰开夏大学毕业证学位证成绩单-案例)(中央兰开夏大学毕业证学位证成绩单-案例)
(中央兰开夏大学毕业证学位证成绩单-案例)
 
The Core Functions of the Bangko Sentral ng Pilipinas
The Core Functions of the Bangko Sentral ng PilipinasThe Core Functions of the Bangko Sentral ng Pilipinas
The Core Functions of the Bangko Sentral ng Pilipinas
 
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
原版1:1复刻堪萨斯大学毕业证KU毕业证留信学历认证
 
NO1 WorldWide Love marriage specialist baba ji Amil Baba Kala ilam powerful v...
NO1 WorldWide Love marriage specialist baba ji Amil Baba Kala ilam powerful v...NO1 WorldWide Love marriage specialist baba ji Amil Baba Kala ilam powerful v...
NO1 WorldWide Love marriage specialist baba ji Amil Baba Kala ilam powerful v...
 
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
(办理学位证)加拿大萨省大学毕业证成绩单原版一比一
 
Governor Olli Rehn: Dialling back monetary restraint
Governor Olli Rehn: Dialling back monetary restraintGovernor Olli Rehn: Dialling back monetary restraint
Governor Olli Rehn: Dialling back monetary restraint
 
NO1 WorldWide online istikhara for love marriage vashikaran specialist love p...
NO1 WorldWide online istikhara for love marriage vashikaran specialist love p...NO1 WorldWide online istikhara for love marriage vashikaran specialist love p...
NO1 WorldWide online istikhara for love marriage vashikaran specialist love p...
 
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
AfRESFullPaper22018EmpiricalPerformanceofRealEstateInvestmentTrustsandShareho...
 
fca-bsps-decision-letter-redacted (1).pdf
fca-bsps-decision-letter-redacted (1).pdffca-bsps-decision-letter-redacted (1).pdf
fca-bsps-decision-letter-redacted (1).pdf
 
House of Commons ; CDC schemes overview document
House of Commons ; CDC schemes overview documentHouse of Commons ; CDC schemes overview document
House of Commons ; CDC schemes overview document
 
Monthly Economic Monitoring of Ukraine No 231, April 2024
Monthly Economic Monitoring of Ukraine No 231, April 2024Monthly Economic Monitoring of Ukraine No 231, April 2024
Monthly Economic Monitoring of Ukraine No 231, April 2024
 

Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

  • 1. Risk Assessment for PCI 12.1.2 How To Do A Formal Risk Assessment as per PCI Requirement 12.1.2 (Version 2.0) SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries. SISA Information Security is part of SISA Worldwide smart-ra.com
  • 2. Agenda • Understand Requirement 12.1.2 of PCI (Version 2.0) • Overview of the Methodologies – ISO 27005, OCTAVE and NIST SP 800-30 • How to do a formal Risk Assessment as per 12.1.2 of PCI • Case Study Walkthrough smart-ra.com
  • 3. Requirement 12.1.2 Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology. “Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.)” smart-ra.com
  • 4. What is a Formal, Structured Methodology? • Formal => A measurable and comparable methodology • Structured => following a defined and approved process. • PCI 2.0 names the following risk assessment methodologies: - ISO 27005 - NIST SP 800-30 - OCTAVE smart-ra.com
  • 5. ISO 27005 Source: ISO 27005 Risk Management Standard smart-ra.com
  • 6. OCTAVE Source: OCTAVE Risk Assessment Methodology smart-ra.com
  • 7. NIST SP 800-30 Source: Risk Management Guide for IT Systems - NIST smart-ra.com
  • 8. Common Risk Assessment Flow General Description of Scope ISRA Asset Risk Analysis: Risk Threat Identification Vulnerabilities Risk Analysis: Risk Risk Profiling Estimation and Evaluation Risk Treatment Plan Risk Treatment Results Documentation smart-ra.com
  • 9. Scope Scope Asset Threat Physical Location – building, room, etc. Vulnerabilities Data Center Business Process Risk Profiling Business Division Risk Treatment Plan Results Documentation smart-ra.com
  • 10. Asset Review Scope Asset Cardholder Data Sensitive Authentication Threat Data IVR Vulnerabilities Web Payments (Merchants) Risk Profiling Customer Services – Call Centers Risk Treatment Plan Results Documentation smart-ra.com
  • 11. Threat Review Scope Asset Hacker exploits insecure Threat communication channels to POS Theft /destruction of Vulnerabilities media or documents Corruption of data Risk Profiling CSRF Attack Risk Treatment Plan Results Documentation smart-ra.com
  • 12. Vulnerability Review Scope Employee Disclosure Sensitive authentication data is Asset stored unencrypted No quarterly review of firewall rules XSS Vulnerability Threat Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 13. Risk Profiling Scope Risk Score = f( Asset Value, LHOT, LOV) Asset •Calculated after taking Risk Evaluation and Risk Acceptance Threat Criteria into account Revised Risk Score = Risk Score Vulnerabilities after •Evaluating Existing Controls •Applying New Controls Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 14. Risk Treatment Plan Scope Treat/Tolerate/Terminate/Transfer Asset Take Action if Treat/Transfer Threat  Take Approval if Tolerate/Terminate Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 15. Results Documentation Scope  Document A-T-V Combination Asset with the associated Risk  Calculation of Risk Threat  RTP Vulnerabilities  Action Taken Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 16. Case Study • Company Background – Wise Bank • PCI Related Environment – Payment Channels include: i. Online store ii. Retail outlets iii. Self service kiosks iv. Payments over mobile v. Drop Boxes vi. Call Center smart-ra.com
  • 17. Example for 1 ‘A-T-V’ Asset Name Threats Vulnerabilities Risk Online Payment Insider Sniffing App Server to High Process the traffic Database Server is in clear. Supporting Threat Properties Assets: Insider – Apache Web Deliberate Server LOV: Medium High EOS App Server LHOT: High Oracle 10G DB RTP Action Treat Use OpenSSL to encrypt traffic from App Server to Database Server smart-ra.com
  • 18. Results Documentation Source : SMART-RA for PCI (v4.8.2) smart-ra.com
  • 19. Questions? • Join IS-RA Group on Linkedin. • Personal Edition of SMART-RA is free. Sign up on smart-ra.com Dharshan (Dash) Email: dbs@sisa.co.in smart-ra.com