Excellent response to SISA's webinar on the "New Risk Assessment Guidelines issued by the PCI Council". Yet another delivery by Dharshan Shanthamurthy showcasing outstanding depth of subject matter knowledge.
SISA Training Calendar : http://www.sisainfosec.com/site/page/17/48
SISA's Webinar on New Guidelines from PCI Council on Risk Assessment
1. SISA Monthly Webinar – January 2013
www.sisainfosec.com
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
2. Housekeeping
• Questions are
welcome at all
times during the
webinar.
• Please type into
the chat window.
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
4. About SISA
Customers in 25 Countries
Services – Training –Products
•SISA Information Security Inc., Americas
•SISA Information Security Pvt Ltd, Asia
•SISA Information Security WLL, EMEA
Our customers are some of the world’s biggest Banks,
Merchants, IT, BPOs and Telecoms
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
5. About SISA
Consulting Training Products
•CPISI – PCI DSS
PCI DSS Implementation
•SMART-RA.COM – Formal
•PCI QSA Validation Services
Risk Assessment tool
(PCI-DSS) •CISRA – Risk Assessment
•PCI ASV Scanning Services Implementation
(PCI-DSS)
•PCI Assurance Services (SAQ) •OCTAVE (SEI-CMU) Security
PA DSS Risk Assessment Workshop
•PA QSA Validation Services
(PA-DSS) •ISO 27001 Implementation
Advisory Workshop
•Risk Assessment (IS-RA)
•Privacy and Standards •Business Continuity
Compliance (ISO 27001, Management Workshop
GLBA, HIPAA, DPA,
COBITFISMA, BS 25999) •Secure Coding in Dot-Net
•Application Pen Test and
Code Review •Awareness Sessions
•Network VA and Pen Test
•Forensics
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
6. About Dharshan
DHARSHAN SHANTHAMURTHY
• CEO, SISA Information Security
• Proposer and Lead - Special Interest Group on Risk
Assessment with the PCI Council
• Dharshan has been a lead trainer for over 125 information
security workshops on varied topics including, Data Protection,
Compliance, Risk Assessment and Application Security
• Dharshan has been an evangelist of formal risk assessment and
has developed a free formal risk assessment tool www.smart-
ra.com.
• Linkedin:
http://www.linkedin.com/in/dharshanshanthamurthy
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
7. SISA and the Risk
Assessment SIG
• Special Interest Groups (SIG) at the PCI
Council
• SISA’s role in the Risk Assessment SIG
• Drafting the Risk Assessment Guidelines
Document
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
8. Intent of the Guidelines
Document
• Objective
– Supplementary Guidance for Requirement 12.1.2
– Does not replace any PCI DSS requirement
• Target Audience
– Any organization that stores, processes, transmits
CHD
– Eg. Merchants, Service Providers, Banks, Issuers
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
9. Risk Assessment and PCI
Compliance
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
10. Understanding Risk
Risk is a consideration Who
of the who, how and why
of things going wrong.
• Who – Asset Risk
• How – Threat
• Why – Vulnerability Why How
• Some Definitions
• Risk = LHOT x Impact
• Risk = f (AV, LHOT, LOV)
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
11. Formal Risk Assessment
• Formal: A measurable and comparable
methodology
• Structured: following a defined and approved
process.
• PCI DSS names the following: ISO 27005, NIST SP
800-30, OCTAVE
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
12. Requirement 12.1.2
Requirement 12.1.2
mandates formal
risk assessment on
an annual basis.
But
•What is the actual intent behind this
requirement?
•Can risk assessment help simplify compliance?
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
13. Benefits of Risk
Assessment
•Identify areas where stored CHD is not fundamental to
PCI Scope business and can be removed
Reduction •Segmentation of sensitive CDE from non-sensitive parts
of the network
Proactive •Keep pace with changing business environment and
Threat identify new threats
Identification •Make decisions on future resource investments
Prioritized •Most critical risks are addressed first
Mitigation
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
14. Risk Assessment and
the Prioritized Approach
• PCI DSS Prioritized Approach
– A series of 6 Milestones to help organizations pursuing
PCI compliance for the first time
– Also relevant to PCI re-certifications, as business
landscapes are subject to change over the year
• Milestone 1
– a formal risk assessment process is to be
implemented to identify threats and
vulnerabilities
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
15. Continuous Risk
Assessment
• Keep up with changing business landscape
– New business processes, departments
– Acquisitions and mergers
– New ventures
• Accurate Identification of Entities
– Since data is appended to the RA as and when it is
available, the identification phase of the RA is done
accurately.
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
17. Choosing the right RA
Methodology
• Widely Accepted
ISO Methodology
27005 • Technology, People
and Process RA
NIST SP • Most suited for
Technology RA
800 30 • Aligned with
(Rev 1) Common Criteria
• 8 processes
• Most suited for
OCTAVE process RA
• Based on people’s
knowledge
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
18. Implementation: Team
Building
Representatives from all departments
• HR, Marketing, IT, Information Security, etc.
Led by a person with knowledge on
• PCI DSS
• Risk assessment methodology used by the
organization
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
19. Implementation: Risk
Identification
Context Establishment
• Organizational Hierarchy, business processes, CHD
flow.
Asset Identification
• Asset Owner, Asset Value must be identified
• All Payment Channels must be taken as assets
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
20. Implementation: Risk
Identification
Threat Identification
• Different Perspectives must be taken into account
• Measurement: Capability, Intent, Relevance, Likelihood
of Occurrence, Impact.
Vulnerability Identification
• Organizational Vulnerabilities: Policy-Procedure review
• Technical Vulnerabilities: VA-PT, firewall rule review,
secure code review
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
22. Third Party Risks
• Third Parties may be Service providers, BPOs,
Third Party Merchants, etc.
• Eg. Application developers, Data center providers,
Web hosting providers, etc.
• Third Parties may
• Introduce Risk
• Manage Risk
• Share Risk
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
23. Reporting
• Version History
• Executive Summary
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
24. Critical Success Factors
• Correct Identification
• Proactive Approach
• Keep it Simple
• Training
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
25. Next Webinar
• Practical Implementation of Formal Risk
Assessment (for PCI, HIPAA, ISO 27001)
(Based on the theoretical concepts covered in
today’s webinar)
• Date: 5th February, 2012
• 9:00 to 10:00 am PST
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
27. Thank You
Please send us your feedback to
praveen.v@sisainfosec.com
Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com