SISA's Webinar on New Guidelines from PCI Council on Risk Assessment
description
Transcript of SISA's Webinar on New Guidelines from PCI Council on Risk Assessment
![Page 1: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/1.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
SISA Monthly Webinar – January 2013
www.sisainfosec.com
![Page 2: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/2.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Housekeeping
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
• Questions are
welcome at all
times during the
webinar.
• Please type into
the chat window.
![Page 3: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/3.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Introductions
![Page 4: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/4.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
•SISA Information Security Inc., Americas
•SISA Information Security Pvt Ltd, Asia
•SISA Information Security WLL, EMEA
Services – Training –Products
Customers in 25 Countries
About SISA
Our customers are some of the world’s biggest Banks,
Merchants, IT, BPOs and Telecoms
![Page 5: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/5.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
About SISA
Consulting
PCI DSS
•PCI QSA Validation Services
(PCI-DSS)
•PCI ASV Scanning Services
(PCI-DSS)
•PCI Assurance Services (SAQ)
PA DSS
•PA QSA Validation Services
(PA-DSS)
Advisory
•Risk Assessment (IS-RA)
•Privacy and Standards
Compliance (ISO 27001,
GLBA, HIPAA, DPA,
COBITFISMA, BS 25999)
•Application Pen Test and
Code Review
•Network VA and Pen Test
•Forensics
Consulting
PCI DSS
•PCI QSA Validation Services
(PCI-DSS)
•PCI ASV Scanning Services
(PCI-DSS)
•PCI Assurance Services (SAQ)
PA DSS
•PA QSA Validation Services
(PA-DSS)
Advisory
•Risk Assessment (IS-RA)
•Privacy and Standards
Compliance (ISO 27001,
GLBA, HIPAA, DPA,
COBITFISMA, BS 25999)
•Application Pen Test and
Code Review
•Network VA and Pen Test
•Forensics
Training•CPISI – PCI DSS
Implementation
•CISRA – Risk Assessment
Implementation
•OCTAVE (SEI-CMU) Security
Risk Assessment Workshop
•ISO 27001 Implementation
Workshop
•Business Continuity
Management Workshop
•Secure Coding in Dot-Net
•Awareness Sessions
Products
•SMART-RA.COM – Formal
Risk Assessment tool
![Page 6: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/6.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
About Dharshan
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
DHARSHAN SHANTHAMURTHY
• CEO, SISA Information Security
• Proposer and Lead - Special Interest Group on Risk Assessment with the PCI Council
• Dharshan has been a lead trainer for over 125 information security workshops on varied topics including, Data Protection, Compliance, Risk Assessment and Application Security
• Dharshan has been an evangelist of formal risk assessment and has developed a free formal risk assessment tool www.smart-ra.com.
• Linkedin: http://www.linkedin.com/in/dharshanshanthamurthy
![Page 7: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/7.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
• Special Interest Groups (SIG) at the PCI
Council
• SISA’s role in the Risk Assessment SIG
• Drafting the Risk Assessment Guidelines
Document
SISA and the Risk
Assessment SIG
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
![Page 8: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/8.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
• Objective
– Supplementary Guidance for Requirement 12.1.2
– Does not replace any PCI DSS requirement
• Target Audience
– Any organization that stores, processes, transmits
CHD
– Eg. Merchants, Service Providers, Banks, Issuers
Intent of the Guidelines
Document
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
![Page 9: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/9.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Risk Assessment and PCI
Compliance
![Page 10: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/10.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Risk is a consideration
of the who, how and why
of things going wrong.• Who – Asset
• How – Threat
• Why – Vulnerability
• Some Definitions
• Risk = LHOT x Impact
• Risk = f (AV, LHOT, LOV)
Understanding Risk
Risk
Who
HowWhy
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
![Page 11: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/11.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
• Formal: A measurable and comparable
methodology
• Structured: following a defined and approved
process.
• PCI DSS names the following: ISO 27005, NIST SP
800-30, OCTAVE
Formal Risk Assessment
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
![Page 12: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/12.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Requirement 12.1.2
mandates formal
risk assessment on
an annual basis.
Requirement 12.1.2
But
•What is the actual intent behind this
requirement?
•Can risk assessment help simplify compliance?
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
![Page 13: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/13.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Benefits of Risk
Assessment
•Identify areas where stored CHD is not fundamental to
business and can be removed
•Segmentation of sensitive CDE from non-sensitive parts
of the network
•Keep pace with changing business environment and
identify new threats
•Make decisions on future resource investments
•Most critical risks are addressed first
PCI Scope
Reduction
Proactive
Threat
Identification
Prioritized
Mitigation
![Page 14: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/14.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Risk Assessment and
the Prioritized Approach
• PCI DSS Prioritized Approach
– A series of 6 Milestones to help organizations pursuing PCI compliance for the first time
– Also relevant to PCI re-certifications, as business landscapes are subject to change over the year
• Milestone 1
– a formal risk assessment process is to be implemented to identify threats and vulnerabilities
![Page 15: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/15.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Continuous Risk
Assessment
• Keep up with changing business landscape
– New business processes, departments
– Acquisitions and mergers
– New ventures
• Accurate Identification of Entities
– Since data is appended to the RA as and when it is
available, the identification phase of the RA is done
accurately.
![Page 16: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/16.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation
![Page 17: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/17.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Choosing the right RA
Methodology
ISO 27005
• Widely Accepted
Methodology
• Technology, People
and Process RA
NIST SP 800 30 (Rev 1)
• Most suited for
Technology RA
• Aligned with
Common Criteria
OCTAVE
• 8 processes
• Most suited for
process RA
• Based on people’s
knowledge
![Page 18: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/18.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation: Team
Building
Led by a person with knowledge on
• PCI DSS
• Risk assessment methodology used by the
organization
Representatives from all departments
• HR, Marketing, IT, Information Security, etc.
![Page 19: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/19.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation: Risk
Identification
• Organizational Hierarchy, business processes, CHD
flow.
• Asset Owner, Asset Value must be identified
• All Payment Channels must be taken as assets
Context Establishment
Asset Identification
![Page 20: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/20.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation: Risk
Identification
• Different Perspectives must be taken into account
• Measurement: Capability, Intent, Relevance, Likelihood
of Occurrence, Impact.
• Organizational Vulnerabilities: Policy-Procedure review
• Technical Vulnerabilities: VA-PT, firewall rule review,
secure code review
Threat Identification
Vulnerability Identification
![Page 21: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/21.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation: Risk
Profiling
Asset
Threat
RiskVulnerability
Risk Evaluation
•Quantitative
•Qualitative
Risk Treatment
• Reduction
• Transference
•Avoidance
•Acceptance
![Page 22: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/22.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Third Party Risks
• Third Parties may be Service providers, BPOs,
Third Party Merchants, etc.
• Eg. Application developers, Data center providers,
Web hosting providers, etc.
• Third Parties may
• Introduce Risk
• Manage Risk
• Share Risk
![Page 23: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/23.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Reporting
• Version History
• Executive Summary
![Page 24: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/24.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Critical Success Factors
• Correct Identification
• Proactive Approach
• Keep it Simple
• Training
![Page 25: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/25.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Next Webinar
• Practical Implementation of Formal Risk
Assessment (for PCI, HIPAA, ISO 27001)
(Based on the theoretical concepts covered in
today’s webinar)
• Date: 5th February, 2012
• 9:00 to 10:00 am PST
![Page 26: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/26.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Questions
![Page 27: SISA's Webinar on New Guidelines from PCI Council on Risk Assessment](https://reader034.fdocuments.in/reader034/viewer/2022051514/549ea63db4795979208b480e/html5/thumbnails/27.jpg)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Thank You
Please send us your feedback to