SISA's Webinar on New Guidelines from PCI Council on Risk Assessment

Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com

SISA Monthly Webinar – January 2013

www.sisainfosec.com


Housekeeping


• Questions are

welcome at all

times during the

webinar.

• Please type into

the chat window.

Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.comPresented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com

Introductions


•SISA Information Security Inc., Americas

•SISA Information Security Pvt Ltd, Asia

•SISA Information Security WLL, EMEA

Services – Training –Products

Customers in 25 Countries

About SISA

Our customers are some of the world’s biggest Banks,

Merchants, IT, BPOs and Telecoms


About SISA

Consulting

PCI DSS

•PCI QSA Validation Services

(PCI-DSS)

•PCI ASV Scanning Services

(PCI-DSS)

•PCI Assurance Services (SAQ)

PA DSS

•PA QSA Validation Services

(PA-DSS)

Advisory

•Risk Assessment (IS-RA)

•Privacy and Standards

Compliance (ISO 27001,

GLBA, HIPAA, DPA,

COBITFISMA, BS 25999)

•Application Pen Test and

Code Review

•Network VA and Pen Test

•Forensics

Consulting

PCI DSS

•PCI QSA Validation Services

(PCI-DSS)

•PCI ASV Scanning Services

(PCI-DSS)

•PCI Assurance Services (SAQ)

PA DSS

•PA QSA Validation Services

(PA-DSS)

Advisory

•Risk Assessment (IS-RA)

•Privacy and Standards

Compliance (ISO 27001,

GLBA, HIPAA, DPA,

COBITFISMA, BS 25999)

•Application Pen Test and

Code Review

•Network VA and Pen Test

•Forensics

Training•CPISI – PCI DSS

Implementation

•CISRA – Risk Assessment

Implementation

•OCTAVE (SEI-CMU) Security

Risk Assessment Workshop

•ISO 27001 Implementation

Workshop

•Business Continuity

Management Workshop

•Secure Coding in Dot-Net

•Awareness Sessions

Products

•SMART-RA.COM – Formal

Risk Assessment tool


About Dharshan


DHARSHAN SHANTHAMURTHY

• CEO, SISA Information Security

• Proposer and Lead - Special Interest Group on Risk Assessment with the PCI Council

• Dharshan has been a lead trainer for over 125 information security workshops on varied topics including, Data Protection, Compliance, Risk Assessment and Application Security

• Dharshan has been an evangelist of formal risk assessment and has developed a free formal risk assessment tool www.smart-ra.com.

• Linkedin: http://www.linkedin.com/in/dharshanshanthamurthy


• Special Interest Groups (SIG) at the PCI

Council

• SISA’s role in the Risk Assessment SIG

• Drafting the Risk Assessment Guidelines

Document

SISA and the Risk

Assessment SIG



• Objective

– Supplementary Guidance for Requirement 12.1.2

– Does not replace any PCI DSS requirement

• Target Audience

– Any organization that stores, processes, transmits

CHD

– Eg. Merchants, Service Providers, Banks, Issuers

Intent of the Guidelines

Document



Risk Assessment and PCI

Compliance


Risk is a consideration

of the who, how and why

of things going wrong.• Who – Asset

• How – Threat

• Why – Vulnerability

• Some Definitions

• Risk = LHOT x Impact

• Risk = f (AV, LHOT, LOV)

Understanding Risk

Risk

Who

HowWhy



• Formal: A measurable and comparable

methodology

• Structured: following a defined and approved

process.

• PCI DSS names the following: ISO 27005, NIST SP

800-30, OCTAVE

Formal Risk Assessment



Requirement 12.1.2

mandates formal

risk assessment on

an annual basis.

Requirement 12.1.2

But

•What is the actual intent behind this

requirement?

•Can risk assessment help simplify compliance?



Benefits of Risk

Assessment

•Identify areas where stored CHD is not fundamental to

business and can be removed

•Segmentation of sensitive CDE from non-sensitive parts

of the network

•Keep pace with changing business environment and

identify new threats

•Make decisions on future resource investments

•Most critical risks are addressed first

PCI Scope

Reduction

Proactive

Threat

Identification

Prioritized

Mitigation


Risk Assessment and

the Prioritized Approach

• PCI DSS Prioritized Approach

– A series of 6 Milestones to help organizations pursuing PCI compliance for the first time

– Also relevant to PCI re-certifications, as business landscapes are subject to change over the year

• Milestone 1

– a formal risk assessment process is to be implemented to identify threats and vulnerabilities


Continuous Risk

Assessment

• Keep up with changing business landscape

– New business processes, departments

– Acquisitions and mergers

– New ventures

• Accurate Identification of Entities

– Since data is appended to the RA as and when it is

available, the identification phase of the RA is done

accurately.


Implementation


Choosing the right RA

Methodology

ISO 27005

• Widely Accepted

Methodology

• Technology, People

and Process RA

NIST SP 800 30 (Rev 1)

• Most suited for

Technology RA

• Aligned with

Common Criteria

OCTAVE

• 8 processes

• Most suited for

process RA

• Based on people’s

knowledge


Implementation: Team

Building

Led by a person with knowledge on

• PCI DSS

• Risk assessment methodology used by the

organization

Representatives from all departments

• HR, Marketing, IT, Information Security, etc.


Implementation: Risk

Identification

• Organizational Hierarchy, business processes, CHD

flow.

• Asset Owner, Asset Value must be identified

• All Payment Channels must be taken as assets

Context Establishment

Asset Identification



Identification

• Different Perspectives must be taken into account

• Measurement: Capability, Intent, Relevance, Likelihood

of Occurrence, Impact.

• Organizational Vulnerabilities: Policy-Procedure review

• Technical Vulnerabilities: VA-PT, firewall rule review,

secure code review

Threat Identification

Vulnerability Identification



Profiling

Asset

Threat

RiskVulnerability

Risk Evaluation

•Quantitative

•Qualitative

Risk Treatment

• Reduction

• Transference

•Avoidance

•Acceptance


Third Party Risks

• Third Parties may be Service providers, BPOs,

Third Party Merchants, etc.

• Eg. Application developers, Data center providers,

Web hosting providers, etc.

• Third Parties may

• Introduce Risk

• Manage Risk

• Share Risk


Reporting

• Version History

• Executive Summary


Critical Success Factors

• Correct Identification

• Proactive Approach

• Keep it Simple

• Training


Next Webinar

• Practical Implementation of Formal Risk

Assessment (for PCI, HIPAA, ISO 27001)

(Based on the theoretical concepts covered in

today’s webinar)

• Date: 5th February, 2012

• 9:00 to 10:00 am PST


Questions


Thank You

Please send us your feedback to

[email protected]

Documents

SISA's Webinar on New Guidelines from PCI Council on Risk Assessment