Stock Market Brief Deck for "this does not happen often".pdf
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2
1. Risk Assessment for PCI 12.1.2
How To Do A Formal Risk
Assessment as per PCI Requirement
12.1.2 (Version 2.0)
SMART ® logo is the registered Trademark of SISA Information Security.
SMART-RA.com is a patent pending product of SISA Information Security in 125 countries.
SISA Information Security is part of SISA Worldwide
smart-ra.com
2. Agenda
• Understand Requirement 12.1.2 of PCI (Version 2.0)
• Overview of the Methodologies – ISO 27005, OCTAVE and
NIST SP 800-30
• How to do a formal Risk Assessment as per 12.1.2 of PCI
• Case Study Walkthrough
smart-ra.com
3. Requirement 12.1.2
Requirement 12.1.2 emphasizes the need for a
structured and formal risk assessment methodology.
“Includes an annual process that identifies threats, and
vulnerabilities, and results in a formal risk assessment.
(Examples of risk assessment methodologies include but
are not limited to OCTAVE, ISO 27005 and NIST SP 800-
30.)”
smart-ra.com
4. What is a Formal, Structured
Methodology?
• Formal => A measurable and comparable
methodology
• Structured => following a defined and approved
process.
• PCI 2.0 names the following risk assessment
methodologies:
- ISO 27005
- NIST SP 800-30
- OCTAVE
smart-ra.com
5. ISO 27005
Source: ISO 27005 Risk Management Standard
smart-ra.com
7. NIST SP 800-30
Source: Risk Management Guide for IT
Systems - NIST
smart-ra.com
8. Common Risk Assessment Flow
General
Description of Scope
ISRA
Asset
Risk Analysis: Risk Threat
Identification
Vulnerabilities
Risk Analysis: Risk
Risk Profiling
Estimation and
Evaluation
Risk Treatment Plan
Risk Treatment Results Documentation
smart-ra.com
9. Scope
Scope
Asset
Threat
Physical Location – building,
room, etc.
Vulnerabilities
Data Center
Business Process
Risk Profiling
Business Division
Risk Treatment Plan
Results Documentation
smart-ra.com
10. Asset Review
Scope
Asset
Cardholder Data
Sensitive Authentication
Threat Data
IVR
Vulnerabilities Web Payments
(Merchants)
Risk Profiling Customer Services –
Call Centers
Risk Treatment Plan
Results Documentation
smart-ra.com
11. Threat Review
Scope
Asset
Hacker exploits insecure
Threat
communication channels
to POS
Theft /destruction of
Vulnerabilities media or documents
Corruption of data
Risk Profiling CSRF Attack
Risk Treatment Plan
Results Documentation
smart-ra.com
12. Vulnerability Review
Scope
Employee Disclosure
Sensitive authentication data is
Asset stored unencrypted
No quarterly review of firewall rules
XSS Vulnerability
Threat
Vulnerabilities
Risk Profiling
Risk Treatment Plan
Results Documentation
smart-ra.com
13. Risk Profiling
Scope
Risk Score = f( Asset Value, LHOT,
LOV)
Asset •Calculated after taking Risk
Evaluation and Risk Acceptance
Threat Criteria into account
Revised Risk Score = Risk Score
Vulnerabilities after
•Evaluating Existing Controls
•Applying New Controls
Risk Profiling
Risk Treatment Plan
Results Documentation
smart-ra.com
14. Risk Treatment Plan
Scope
Treat/Tolerate/Terminate/Transfer
Asset
Take Action if Treat/Transfer
Threat
Take Approval if
Tolerate/Terminate
Vulnerabilities
Risk Profiling
Risk Treatment Plan
Results Documentation
smart-ra.com
15. Results Documentation
Scope
Document A-T-V Combination
Asset
with the associated Risk
Calculation of Risk
Threat
RTP
Vulnerabilities
Action Taken
Risk Profiling
Risk Treatment Plan
Results Documentation
smart-ra.com
16. Case Study
• Company Background – Wise Bank
• PCI Related Environment – Payment Channels include:
i. Online store
ii. Retail outlets
iii. Self service kiosks
iv. Payments over mobile
v. Drop Boxes
vi. Call Center
smart-ra.com
17. Example for 1 ‘A-T-V’
Asset Name Threats Vulnerabilities Risk
Online Payment Insider Sniffing App Server to High
Process the traffic Database Server
is in clear.
Supporting Threat Properties
Assets: Insider –
Apache Web Deliberate
Server LOV: Medium High
EOS App Server LHOT: High
Oracle 10G DB
RTP Action
Treat Use OpenSSL to encrypt traffic from
App Server to Database Server
smart-ra.com
19. Questions?
• Join IS-RA Group on Linkedin.
• Personal Edition of SMART-RA is free.
Sign up on smart-ra.com
Dharshan (Dash)
Email: dbs@sisa.co.in
smart-ra.com