SlideShare a Scribd company logo

Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

S
Smart Assessment

Webinar Excerpts: How to do a formal Risk Assessment as per PCI Requirement 12.1.2

Economy & FinanceBusiness
1 of 19
Download to read offline
Risk Assessment for PCI 12.1.2 How To Do A Formal Risk Assessment as per PCI Requirement 12.1.2 (Version 2.0) SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries. SISA Information Security is part of SISA Worldwide smart-ra.com
Agenda • Understand Requirement 12.1.2 of PCI (Version 2.0) • Overview of the Methodologies – ISO 27005, OCTAVE and NIST SP 800-30 • How to do a formal Risk Assessment as per 12.1.2 of PCI • Case Study Walkthrough smart-ra.com
Requirement 12.1.2 Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology. “Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.)” smart-ra.com
What is a Formal, Structured Methodology? • Formal => A measurable and comparable methodology • Structured => following a defined and approved process. • PCI 2.0 names the following risk assessment methodologies: - ISO 27005 - NIST SP 800-30 - OCTAVE smart-ra.com
ISO 27005 Source: ISO 27005 Risk Management Standard smart-ra.com
OCTAVE Source: OCTAVE Risk Assessment Methodology smart-ra.com
NIST SP 800-30 Source: Risk Management Guide for IT Systems - NIST smart-ra.com
Common Risk Assessment Flow General Description of Scope ISRA Asset Risk Analysis: Risk Threat Identification Vulnerabilities Risk Analysis: Risk Risk Profiling Estimation and Evaluation Risk Treatment Plan Risk Treatment Results Documentation smart-ra.com
Scope Scope Asset Threat Physical Location – building, room, etc. Vulnerabilities Data Center Business Process Risk Profiling Business Division Risk Treatment Plan Results Documentation smart-ra.com
Asset Review Scope Asset Cardholder Data Sensitive Authentication Threat Data IVR Vulnerabilities Web Payments (Merchants) Risk Profiling Customer Services – Call Centers Risk Treatment Plan Results Documentation smart-ra.com
Threat Review Scope Asset Hacker exploits insecure Threat communication channels to POS Theft /destruction of Vulnerabilities media or documents Corruption of data Risk Profiling CSRF Attack Risk Treatment Plan Results Documentation smart-ra.com
Vulnerability Review Scope Employee Disclosure Sensitive authentication data is Asset stored unencrypted No quarterly review of firewall rules XSS Vulnerability Threat Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
Risk Profiling Scope Risk Score = f( Asset Value, LHOT, LOV) Asset •Calculated after taking Risk Evaluation and Risk Acceptance Threat Criteria into account Revised Risk Score = Risk Score Vulnerabilities after •Evaluating Existing Controls •Applying New Controls Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
Risk Treatment Plan Scope Treat/Tolerate/Terminate/Transfer Asset Take Action if Treat/Transfer Threat  Take Approval if Tolerate/Terminate Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
Results Documentation Scope  Document A-T-V Combination Asset with the associated Risk  Calculation of Risk Threat  RTP Vulnerabilities  Action Taken Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
Case Study • Company Background – Wise Bank • PCI Related Environment – Payment Channels include: i. Online store ii. Retail outlets iii. Self service kiosks iv. Payments over mobile v. Drop Boxes vi. Call Center smart-ra.com
Example for 1 ‘A-T-V’ Asset Name Threats Vulnerabilities Risk Online Payment Insider Sniffing App Server to High Process the traffic Database Server is in clear. Supporting Threat Properties Assets: Insider – Apache Web Deliberate Server LOV: Medium High EOS App Server LHOT: High Oracle 10G DB RTP Action Treat Use OpenSSL to encrypt traffic from App Server to Database Server smart-ra.com
Results Documentation Source : SMART-RA for PCI (v4.8.2) smart-ra.com
Questions? • Join IS-RA Group on Linkedin. • Personal Edition of SMART-RA is free. Sign up on smart-ra.com Dharshan (Dash) Email: dbs@sisa.co.in smart-ra.com

Recommended

ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
John Gilligan
 

Recommended

ISO 27005 Risk Assessment
ISO 27005 Risk AssessmentISO 27005 Risk Assessment
ISO 27005 Risk Assessment
Smart Assessment
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
tschraider
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01Information systems risk assessment frame workisraf 130215042410-phpapp01
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012NIST 800 30 revision Sep 2012
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1NIST 800-30 Intro to Conducting Risk Assessments - Part 1
NIST 800-30 Intro to Conducting Risk Assessments - Part 1
Denise Tawwab
 
Information Serurity Risk Assessment Basics
Information Serurity Risk Assessment BasicsInformation Serurity Risk Assessment Basics
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
amiable_indian
 
The Economics of Cyber Security
The Economics of Cyber SecurityThe Economics of Cyber Security
The Economics of Cyber Security
John Gilligan
 
Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management
Kishor Datta Gupta
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
Mel Drews
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
sedukull
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
Tharindunuwan9
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
John Gilligan
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
Michael Lines
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDI
David Sweigert
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck
Elaine Axum
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
Dennis Chaupis
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Cybersecurity Education and Research Centre
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
JoAnna Cheshire
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
EC-Council
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
Marco Morana
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 
Ta Security
Ta SecurityTa Security
Ta Security
jothsna
 
TA security
TA securityTA security
TA security
kesavars
 

More Related Content

What's hot

Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
tschraider
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
Rand W. Hirt
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck
Elaine Axum
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
Resilient Systems
 

What's hot (20)

Software Vulnerability management
Software Vulnerability management Software Vulnerability management
Software Vulnerability management
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
Information Secuirty Vulnerability Management
Information Secuirty Vulnerability ManagementInformation Secuirty Vulnerability Management
Information Secuirty Vulnerability Management
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Risk Assessment and Threat Modeling
Risk Assessment and Threat ModelingRisk Assessment and Threat Modeling
Risk Assessment and Threat Modeling
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
Top Level Cyber Security Strategy
Top Level Cyber Security Strategy Top Level Cyber Security Strategy
Top Level Cyber Security Strategy
 
Threat Based Risk Assessment
Threat Based Risk AssessmentThreat Based Risk Assessment
Threat Based Risk Assessment
 
Review of Enterprise Security Risk Management
Review of Enterprise Security Risk ManagementReview of Enterprise Security Risk Management
Review of Enterprise Security Risk Management
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDI
 
2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck2012 10 19 risk analysis training deck
2012 10 19 risk analysis training deck
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
 
Vulnerability Management Program
Vulnerability Management ProgramVulnerability Management Program
Vulnerability Management Program
 
Risk Management Methodology - Copy
Risk Management Methodology - CopyRisk Management Methodology - Copy
Risk Management Methodology - Copy
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 

Similar to Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Ta Security
Ta SecurityTa Security
Ta Security
jothsna
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
Arrow ECS UK
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
jmical
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
Andris Soroka
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
DataWorks Summit
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
Q1 Labs
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
Seema Sheth-Voss
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 

Similar to Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2 (20)

Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
Osprey Bank Risk
Osprey Bank RiskOsprey Bank Risk
Osprey Bank Risk
 
Nebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi VerzeNebezpecny Internet Novejsi Verze
Nebezpecny Internet Novejsi Verze
 
Qradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_finalQradar ibm partner_enablement_220212_final
Qradar ibm partner_enablement_220212_final
 
Security assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP PrepSecurity assessment with a hint of CISSP Prep
Security assessment with a hint of CISSP Prep
 
Axxera Security Solutions
Axxera Security SolutionsAxxera Security Solutions
Axxera Security Solutions
 
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGYCYBER INTELLIGENCE & RESPONSE TECHNOLOGY
CYBER INTELLIGENCE & RESPONSE TECHNOLOGY
 
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & VeracodeCrafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
Crafting Super-Powered Risk Assessments by Digital Defense Inc & Veracode
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCEDSS ITSEC Conference 2012 - RISK & COMPLIANCE
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
 
Treat Detection using Hadoop
Treat Detection using HadoopTreat Detection using Hadoop
Treat Detection using Hadoop
 
Analisis de Riesgos O-ISM3
Analisis de Riesgos O-ISM3Analisis de Riesgos O-ISM3
Analisis de Riesgos O-ISM3
 
Continuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk ScoringContinuous Monitoring and Real Time Risk Scoring
Continuous Monitoring and Real Time Risk Scoring
 
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp0224 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
24 031030davidtillemanssecuresdlcpub-110325054740-phpapp02
 
Core security utcpresentation962012
Core security utcpresentation962012Core security utcpresentation962012
Core security utcpresentation962012
 
Resume - Varsharani
Resume - VarsharaniResume - Varsharani
Resume - Varsharani
 
טכנולוגיות אבטחת מערכות מידע
טכנולוגיות אבטחת מערכות מידעטכנולוגיות אבטחת מערכות מידע
טכנולוגיות אבטחת מערכות מידע
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detectionThreat intel- -content-curation-organizing-the-path-to-successful-detection
Threat intel- -content-curation-organizing-the-path-to-successful-detection
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 

Recently uploaded

Virar Best Sex Call Girls Number-📞📞9833754194-Poorbi Nalasopara Housewife Cal...
Virar Best Sex Call Girls Number-📞📞9833754194-Poorbi Nalasopara Housewife Cal...Virar Best Sex Call Girls Number-📞📞9833754194-Poorbi Nalasopara Housewife Cal...
Virar Best Sex Call Girls Number-📞📞9833754194-Poorbi Nalasopara Housewife Cal...
priyasharma62062
 
Female Russian Escorts Mumbai Call Girls-((ANdheri))9833754194-Jogeshawri Fre...
Female Russian Escorts Mumbai Call Girls-((ANdheri))9833754194-Jogeshawri Fre...Female Russian Escorts Mumbai Call Girls-((ANdheri))9833754194-Jogeshawri Fre...
Female Russian Escorts Mumbai Call Girls-((ANdheri))9833754194-Jogeshawri Fre...
priyasharma62062
 
Vip Call Girls Rasulgada😉 Bhubaneswar 9777949614 Housewife Call Girls Servic...
Vip Call Girls Rasulgada😉 Bhubaneswar 9777949614 Housewife Call Girls Servic...Vip Call Girls Rasulgada😉 Bhubaneswar 9777949614 Housewife Call Girls Servic...
Vip Call Girls Rasulgada😉 Bhubaneswar 9777949614 Housewife Call Girls Servic...
Call Girls Mumbai
 
✂️ 👅 Independent Bhubaneswar Escorts Odisha Call Girls With Room Bhubaneswar ...
✂️ 👅 Independent Bhubaneswar Escorts Odisha Call Girls With Room Bhubaneswar ...✂️ 👅 Independent Bhubaneswar Escorts Odisha Call Girls With Room Bhubaneswar ...
✂️ 👅 Independent Bhubaneswar Escorts Odisha Call Girls With Room Bhubaneswar ...
jabtakhaidam7
 
Bhubaneswar🌹Kalpana Mesuem ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswa...
Bhubaneswar🌹Kalpana Mesuem ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswa...Bhubaneswar🌹Kalpana Mesuem ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswa...
Bhubaneswar🌹Kalpana Mesuem ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswa...
Call Girls Mumbai
 
Call Girls in Tilak Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Tilak Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in Tilak Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Tilak Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Thane Call Girls , 07506202331 Kalyan Call Girls
Thane Call Girls , 07506202331 Kalyan Call GirlsThane Call Girls , 07506202331 Kalyan Call Girls
Thane Call Girls , 07506202331 Kalyan Call Girls
Priya Reddy
 
Call Girls Howrah ( 8250092165 ) Cheap rates call girls | Get low budget
Call Girls Howrah ( 8250092165 ) Cheap rates call girls | Get low budgetCall Girls Howrah ( 8250092165 ) Cheap rates call girls | Get low budget
Call Girls Howrah ( 8250092165 ) Cheap rates call girls | Get low budget
Sareena Khatun
 
Kurla Capable Call Girls ,07506202331, Sion Affordable Call Girls
Kurla Capable Call Girls ,07506202331, Sion Affordable Call GirlsKurla Capable Call Girls ,07506202331, Sion Affordable Call Girls
Kurla Capable Call Girls ,07506202331, Sion Affordable Call Girls
Priya Reddy
 

Recently uploaded (20)

Turbhe Fantastic Escorts📞📞9833754194 Kopar Khairane Marathi Call Girls-Kopar ...
Turbhe Fantastic Escorts📞📞9833754194 Kopar Khairane Marathi Call Girls-Kopar ...Turbhe Fantastic Escorts📞📞9833754194 Kopar Khairane Marathi Call Girls-Kopar ...
Turbhe Fantastic Escorts📞📞9833754194 Kopar Khairane Marathi Call Girls-Kopar ...
 
Female Escorts Service in Hyderabad Starting with 5000/- for Savita Escorts S...
Female Escorts Service in Hyderabad Starting with 5000/- for Savita Escorts S...Female Escorts Service in Hyderabad Starting with 5000/- for Savita Escorts S...
Female Escorts Service in Hyderabad Starting with 5000/- for Savita Escorts S...
 
cost-volume-profit analysis.ppt(managerial accounting).pptx
cost-volume-profit analysis.ppt(managerial accounting).pptxcost-volume-profit analysis.ppt(managerial accounting).pptx
cost-volume-profit analysis.ppt(managerial accounting).pptx
 
Call Girls In Kolkata-📞7033799463-Independent Escorts Services In Dam Dam Air...
Call Girls In Kolkata-📞7033799463-Independent Escorts Services In Dam Dam Air...Call Girls In Kolkata-📞7033799463-Independent Escorts Services In Dam Dam Air...
Call Girls In Kolkata-📞7033799463-Independent Escorts Services In Dam Dam Air...
 
Virar Best Sex Call Girls Number-📞📞9833754194-Poorbi Nalasopara Housewife Cal...
Virar Best Sex Call Girls Number-📞📞9833754194-Poorbi Nalasopara Housewife Cal...Virar Best Sex Call Girls Number-📞📞9833754194-Poorbi Nalasopara Housewife Cal...
Virar Best Sex Call Girls Number-📞📞9833754194-Poorbi Nalasopara Housewife Cal...
 
Technology industry / Finnish economic outlook
Technology industry / Finnish economic outlookTechnology industry / Finnish economic outlook
Technology industry / Finnish economic outlook
 
Female Russian Escorts Mumbai Call Girls-((ANdheri))9833754194-Jogeshawri Fre...
Female Russian Escorts Mumbai Call Girls-((ANdheri))9833754194-Jogeshawri Fre...Female Russian Escorts Mumbai Call Girls-((ANdheri))9833754194-Jogeshawri Fre...
Female Russian Escorts Mumbai Call Girls-((ANdheri))9833754194-Jogeshawri Fre...
 
Vip Call Girls Rasulgada😉 Bhubaneswar 9777949614 Housewife Call Girls Servic...
Vip Call Girls Rasulgada😉 Bhubaneswar 9777949614 Housewife Call Girls Servic...Vip Call Girls Rasulgada😉 Bhubaneswar 9777949614 Housewife Call Girls Servic...
Vip Call Girls Rasulgada😉 Bhubaneswar 9777949614 Housewife Call Girls Servic...
 
✂️ 👅 Independent Bhubaneswar Escorts Odisha Call Girls With Room Bhubaneswar ...
✂️ 👅 Independent Bhubaneswar Escorts Odisha Call Girls With Room Bhubaneswar ...✂️ 👅 Independent Bhubaneswar Escorts Odisha Call Girls With Room Bhubaneswar ...
✂️ 👅 Independent Bhubaneswar Escorts Odisha Call Girls With Room Bhubaneswar ...
 
Bhubaneswar🌹Kalpana Mesuem ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswa...
Bhubaneswar🌹Kalpana Mesuem ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswa...Bhubaneswar🌹Kalpana Mesuem ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswa...
Bhubaneswar🌹Kalpana Mesuem ❤CALL GIRLS 9777949614 💟 CALL GIRLS IN bhubaneswa...
 
Call Girls in Tilak Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Tilak Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in Tilak Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in Tilak Nagar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Thane Call Girls , 07506202331 Kalyan Call Girls
Thane Call Girls , 07506202331 Kalyan Call GirlsThane Call Girls , 07506202331 Kalyan Call Girls
Thane Call Girls , 07506202331 Kalyan Call Girls
 
Pension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdfPension dashboards forum 1 May 2024 (1).pdf
Pension dashboards forum 1 May 2024 (1).pdf
 
CBD Belapur((Thane)) Charming Call Girls📞❤9833754194 Kamothe Beautiful Call G...
CBD Belapur((Thane)) Charming Call Girls📞❤9833754194 Kamothe Beautiful Call G...CBD Belapur((Thane)) Charming Call Girls📞❤9833754194 Kamothe Beautiful Call G...
CBD Belapur((Thane)) Charming Call Girls📞❤9833754194 Kamothe Beautiful Call G...
 
logistics industry development power point ppt.pdf
logistics industry development power point ppt.pdflogistics industry development power point ppt.pdf
logistics industry development power point ppt.pdf
 
Escorts Indore Call Girls-9155612368-Vijay Nagar Decent Fantastic Call Girls ...
Escorts Indore Call Girls-9155612368-Vijay Nagar Decent Fantastic Call Girls ...Escorts Indore Call Girls-9155612368-Vijay Nagar Decent Fantastic Call Girls ...
Escorts Indore Call Girls-9155612368-Vijay Nagar Decent Fantastic Call Girls ...
 
Call Girls Howrah ( 8250092165 ) Cheap rates call girls | Get low budget
Call Girls Howrah ( 8250092165 ) Cheap rates call girls | Get low budgetCall Girls Howrah ( 8250092165 ) Cheap rates call girls | Get low budget
Call Girls Howrah ( 8250092165 ) Cheap rates call girls | Get low budget
 
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
Famous No1 Amil Baba Love marriage Astrologer Specialist Expert In Pakistan a...
 
Kurla Capable Call Girls ,07506202331, Sion Affordable Call Girls
Kurla Capable Call Girls ,07506202331, Sion Affordable Call GirlsKurla Capable Call Girls ,07506202331, Sion Affordable Call Girls
Kurla Capable Call Girls ,07506202331, Sion Affordable Call Girls
 
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
Famous Kala Jadu, Black magic expert in Faisalabad and Kala ilam specialist i...
 

Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

  • 1. Risk Assessment for PCI 12.1.2 How To Do A Formal Risk Assessment as per PCI Requirement 12.1.2 (Version 2.0) SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries. SISA Information Security is part of SISA Worldwide smart-ra.com
  • 2. Agenda • Understand Requirement 12.1.2 of PCI (Version 2.0) • Overview of the Methodologies – ISO 27005, OCTAVE and NIST SP 800-30 • How to do a formal Risk Assessment as per 12.1.2 of PCI • Case Study Walkthrough smart-ra.com
  • 3. Requirement 12.1.2 Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology. “Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800- 30.)” smart-ra.com
  • 4. What is a Formal, Structured Methodology? • Formal => A measurable and comparable methodology • Structured => following a defined and approved process. • PCI 2.0 names the following risk assessment methodologies: - ISO 27005 - NIST SP 800-30 - OCTAVE smart-ra.com
  • 5. ISO 27005 Source: ISO 27005 Risk Management Standard smart-ra.com
  • 6. OCTAVE Source: OCTAVE Risk Assessment Methodology smart-ra.com
  • 7. NIST SP 800-30 Source: Risk Management Guide for IT Systems - NIST smart-ra.com
  • 8. Common Risk Assessment Flow General Description of Scope ISRA Asset Risk Analysis: Risk Threat Identification Vulnerabilities Risk Analysis: Risk Risk Profiling Estimation and Evaluation Risk Treatment Plan Risk Treatment Results Documentation smart-ra.com
  • 9. Scope Scope Asset Threat Physical Location – building, room, etc. Vulnerabilities Data Center Business Process Risk Profiling Business Division Risk Treatment Plan Results Documentation smart-ra.com
  • 10. Asset Review Scope Asset Cardholder Data Sensitive Authentication Threat Data IVR Vulnerabilities Web Payments (Merchants) Risk Profiling Customer Services – Call Centers Risk Treatment Plan Results Documentation smart-ra.com
  • 11. Threat Review Scope Asset Hacker exploits insecure Threat communication channels to POS Theft /destruction of Vulnerabilities media or documents Corruption of data Risk Profiling CSRF Attack Risk Treatment Plan Results Documentation smart-ra.com
  • 12. Vulnerability Review Scope Employee Disclosure Sensitive authentication data is Asset stored unencrypted No quarterly review of firewall rules XSS Vulnerability Threat Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 13. Risk Profiling Scope Risk Score = f( Asset Value, LHOT, LOV) Asset •Calculated after taking Risk Evaluation and Risk Acceptance Threat Criteria into account Revised Risk Score = Risk Score Vulnerabilities after •Evaluating Existing Controls •Applying New Controls Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 14. Risk Treatment Plan Scope Treat/Tolerate/Terminate/Transfer Asset Take Action if Treat/Transfer Threat  Take Approval if Tolerate/Terminate Vulnerabilities Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 15. Results Documentation Scope  Document A-T-V Combination Asset with the associated Risk  Calculation of Risk Threat  RTP Vulnerabilities  Action Taken Risk Profiling Risk Treatment Plan Results Documentation smart-ra.com
  • 16. Case Study • Company Background – Wise Bank • PCI Related Environment – Payment Channels include: i. Online store ii. Retail outlets iii. Self service kiosks iv. Payments over mobile v. Drop Boxes vi. Call Center smart-ra.com
  • 17. Example for 1 ‘A-T-V’ Asset Name Threats Vulnerabilities Risk Online Payment Insider Sniffing App Server to High Process the traffic Database Server is in clear. Supporting Threat Properties Assets: Insider – Apache Web Deliberate Server LOV: Medium High EOS App Server LHOT: High Oracle 10G DB RTP Action Treat Use OpenSSL to encrypt traffic from App Server to Database Server smart-ra.com
  • 18. Results Documentation Source : SMART-RA for PCI (v4.8.2) smart-ra.com
  • 19. Questions? • Join IS-RA Group on Linkedin. • Personal Edition of SMART-RA is free. Sign up on smart-ra.com Dharshan (Dash) Email: dbs@sisa.co.in smart-ra.com