Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

5,632 views
5,051 views

Published on

Webinar Excerpts: How to do a formal Risk Assessment as per PCI Requirement 12.1.2

Published in: Economy & Finance, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,632
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
148
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

  1. 1. Risk Assessment for PCI 12.1.2 How To Do A Formal RiskAssessment as per PCI Requirement 12.1.2 (Version 2.0) SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries. SISA Information Security is part of SISA Worldwide smart-ra.com
  2. 2. Agenda• Understand Requirement 12.1.2 of PCI (Version 2.0)• Overview of the Methodologies – ISO 27005, OCTAVE and NIST SP 800-30• How to do a formal Risk Assessment as per 12.1.2 of PCI• Case Study Walkthrough smart-ra.com
  3. 3. Requirement 12.1.2 Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology. “Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.)” smart-ra.com
  4. 4. What is a Formal, StructuredMethodology? • Formal => A measurable and comparable methodology • Structured => following a defined and approved process. • PCI 2.0 names the following risk assessment methodologies: - ISO 27005 - NIST SP 800-30 - OCTAVE smart-ra.com
  5. 5. ISO 27005 Source: ISO 27005 Risk Management Standard smart-ra.com
  6. 6. OCTAVE Source: OCTAVE Risk Assessment Methodology smart-ra.com
  7. 7. NIST SP 800-30 Source: Risk Management Guide for IT Systems - NIST smart-ra.com
  8. 8. Common Risk Assessment Flow General Description of Scope ISRA Asset Risk Analysis: Risk Threat Identification Vulnerabilities Risk Analysis: Risk Risk Profiling Estimation and Evaluation Risk Treatment Plan Risk Treatment Results Documentation smart-ra.com
  9. 9. Scope Scope Asset Threat Physical Location – building, room, etc. Vulnerabilities Data Center Business Process Risk Profiling Business Division Risk Treatment PlanResults Documentation smart-ra.com
  10. 10. Asset Review Scope Asset Cardholder Data Sensitive Authentication Threat Data IVR Vulnerabilities Web Payments (Merchants) Risk Profiling Customer Services – Call Centers Risk Treatment Plan Results Documentation smart-ra.com
  11. 11. Threat Review Scope Asset Hacker exploits insecure Threat communication channels to POS Theft /destruction of Vulnerabilities media or documents Corruption of data Risk Profiling CSRF Attack Risk Treatment Plan Results Documentation smart-ra.com
  12. 12. Vulnerability Review Scope Employee Disclosure Sensitive authentication data is Asset stored unencrypted No quarterly review of firewall rules XSS Vulnerability Threat Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  13. 13. Risk Profiling Scope Risk Score = f( Asset Value, LHOT, LOV) Asset •Calculated after taking Risk Evaluation and Risk Acceptance Threat Criteria into account Revised Risk Score = Risk Score Vulnerabilities after •Evaluating Existing Controls •Applying New Controls Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  14. 14. Risk Treatment Plan Scope Treat/Tolerate/Terminate/Transfer Asset Take Action if Treat/Transfer Threat  Take Approval if Tolerate/Terminate Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  15. 15. Results Documentation Scope  Document A-T-V Combination Asset with the associated Risk  Calculation of Risk Threat  RTP Vulnerabilities  Action Taken Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  16. 16. Case Study • Company Background – Wise Bank • PCI Related Environment – Payment Channels include: i. Online store ii. Retail outlets iii. Self service kiosks iv. Payments over mobile v. Drop Boxes vi. Call Center smart-ra.com
  17. 17. Example for 1 ‘A-T-V’ Asset Name Threats Vulnerabilities Risk Online Payment Insider Sniffing App Server to High Process the traffic Database Server is in clear. Supporting Threat Properties Assets: Insider – Apache Web Deliberate Server LOV: Medium High EOS App Server LHOT: High Oracle 10G DB RTP Action Treat Use OpenSSL to encrypt traffic from App Server to Database Server smart-ra.com
  18. 18. Results Documentation Source : SMART-RA for PCI (v4.8.2) smart-ra.com
  19. 19. Questions? • Join IS-RA Group on Linkedin. • Personal Edition of SMART-RA is free. Sign up on smart-ra.com Dharshan (Dash) Email: dbs@sisa.co.in smart-ra.com

×