SlideShare a Scribd company logo

SISA's Webinar on New Guidelines from PCI Council on Risk Assessment

A
ajithsisa

Excellent response to SISA's webinar on the "New Risk Assessment Guidelines issued by the PCI Council". Yet another delivery by Dharshan Shanthamurthy showcasing outstanding depth of subject matter knowledge. SISA Training Calendar : http://www.sisainfosec.com/site/page/17/48

1 of 27
Download to read offline
SISA Monthly Webinar – January 2013 www.sisainfosec.com Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Housekeeping • Questions are welcome at all times during the webinar. • Please type into the chat window. Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Introductions Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
About SISA Customers in 25 Countries Services – Training –Products •SISA Information Security Inc., Americas •SISA Information Security Pvt Ltd, Asia •SISA Information Security WLL, EMEA Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
About SISA Consulting Training Products •CPISI – PCI DSS PCI DSS Implementation •SMART-RA.COM – Formal •PCI QSA Validation Services Risk Assessment tool (PCI-DSS) •CISRA – Risk Assessment •PCI ASV Scanning Services Implementation (PCI-DSS) •PCI Assurance Services (SAQ) •OCTAVE (SEI-CMU) Security PA DSS Risk Assessment Workshop •PA QSA Validation Services (PA-DSS) •ISO 27001 Implementation Advisory Workshop •Risk Assessment (IS-RA) •Privacy and Standards •Business Continuity Compliance (ISO 27001, Management Workshop GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Secure Coding in Dot-Net •Application Pen Test and Code Review •Awareness Sessions •Network VA and Pen Test •Forensics Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
About Dharshan DHARSHAN SHANTHAMURTHY • CEO, SISA Information Security • Proposer and Lead - Special Interest Group on Risk Assessment with the PCI Council • Dharshan has been a lead trainer for over 125 information security workshops on varied topics including, Data Protection, Compliance, Risk Assessment and Application Security • Dharshan has been an evangelist of formal risk assessment and has developed a free formal risk assessment tool www.smart- ra.com. • Linkedin: http://www.linkedin.com/in/dharshanshanthamurthy Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
SISA and the Risk Assessment SIG • Special Interest Groups (SIG) at the PCI Council • SISA’s role in the Risk Assessment SIG • Drafting the Risk Assessment Guidelines Document Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Intent of the Guidelines Document • Objective – Supplementary Guidance for Requirement 12.1.2 – Does not replace any PCI DSS requirement • Target Audience – Any organization that stores, processes, transmits CHD – Eg. Merchants, Service Providers, Banks, Issuers Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Risk Assessment and PCI Compliance Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Understanding Risk Risk is a consideration Who of the who, how and why of things going wrong. • Who – Asset Risk • How – Threat • Why – Vulnerability Why How • Some Definitions • Risk = LHOT x Impact • Risk = f (AV, LHOT, LOV) Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Formal Risk Assessment • Formal: A measurable and comparable methodology • Structured: following a defined and approved process. • PCI DSS names the following: ISO 27005, NIST SP 800-30, OCTAVE Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Requirement 12.1.2 Requirement 12.1.2 mandates formal risk assessment on an annual basis. But •What is the actual intent behind this requirement? •Can risk assessment help simplify compliance? Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Benefits of Risk Assessment •Identify areas where stored CHD is not fundamental to PCI Scope business and can be removed Reduction •Segmentation of sensitive CDE from non-sensitive parts of the network Proactive •Keep pace with changing business environment and Threat identify new threats Identification •Make decisions on future resource investments Prioritized •Most critical risks are addressed first Mitigation Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Risk Assessment and the Prioritized Approach • PCI DSS Prioritized Approach – A series of 6 Milestones to help organizations pursuing PCI compliance for the first time – Also relevant to PCI re-certifications, as business landscapes are subject to change over the year • Milestone 1 – a formal risk assessment process is to be implemented to identify threats and vulnerabilities Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Continuous Risk Assessment • Keep up with changing business landscape – New business processes, departments – Acquisitions and mergers – New ventures • Accurate Identification of Entities – Since data is appended to the RA as and when it is available, the identification phase of the RA is done accurately. Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Choosing the right RA Methodology • Widely Accepted ISO Methodology 27005 • Technology, People and Process RA NIST SP • Most suited for Technology RA 800 30 • Aligned with (Rev 1) Common Criteria • 8 processes • Most suited for OCTAVE process RA • Based on people’s knowledge Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation: Team Building Representatives from all departments • HR, Marketing, IT, Information Security, etc. Led by a person with knowledge on • PCI DSS • Risk assessment methodology used by the organization Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation: Risk Identification Context Establishment • Organizational Hierarchy, business processes, CHD flow. Asset Identification • Asset Owner, Asset Value must be identified • All Payment Channels must be taken as assets Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation: Risk Identification Threat Identification • Different Perspectives must be taken into account • Measurement: Capability, Intent, Relevance, Likelihood of Occurrence, Impact. Vulnerability Identification • Organizational Vulnerabilities: Policy-Procedure review • Technical Vulnerabilities: VA-PT, firewall rule review, secure code review Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Implementation: Risk Profiling Risk Treatment • Reduction Threat • Transference •Avoidance •Acceptance Asset Risk Evaluation •Quantitative •Qualitative Vulner Risk ability Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Third Party Risks • Third Parties may be Service providers, BPOs, Third Party Merchants, etc. • Eg. Application developers, Data center providers, Web hosting providers, etc. • Third Parties may • Introduce Risk • Manage Risk • Share Risk Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Reporting • Version History • Executive Summary Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Critical Success Factors • Correct Identification • Proactive Approach • Keep it Simple • Training Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Next Webinar • Practical Implementation of Formal Risk Assessment (for PCI, HIPAA, ISO 27001) (Based on the theoretical concepts covered in today’s webinar) • Date: 5th February, 2012 • 9:00 to 10:00 am PST Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Questions Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
Thank You Please send us your feedback to praveen.v@sisainfosec.com Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com

Recommended

Gemeentearchief goes jubileumboekje franken landbouwwerktuigen 1892 1952
Gemeentearchief goes jubileumboekje franken landbouwwerktuigen 1892 1952Gemeentearchief goes jubileumboekje franken landbouwwerktuigen 1892 1952
Gemeentearchief goes jubileumboekje franken landbouwwerktuigen 1892 1952Willy van Meegen
 
Digital forensics - How do you respond to a data breach
Digital forensics - How do you respond to a data breachDigital forensics - How do you respond to a data breach
Digital forensics - How do you respond to a data breachajithsisa
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 

Recommended

Gemeentearchief goes jubileumboekje franken landbouwwerktuigen 1892 1952
Gemeentearchief goes jubileumboekje franken landbouwwerktuigen 1892 1952Gemeentearchief goes jubileumboekje franken landbouwwerktuigen 1892 1952
Gemeentearchief goes jubileumboekje franken landbouwwerktuigen 1892 1952Willy van Meegen
 
Digital forensics - How do you respond to a data breach
Digital forensics - How do you respond to a data breachDigital forensics - How do you respond to a data breach
Digital forensics - How do you respond to a data breachajithsisa
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slidesAlireza Esmikhani
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesProject for Public Spaces & National Center for Biking and Walking
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 

More Related Content

Featured

PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...DevGAMM Conference
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationErica Santiago
 

Featured (20)

PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 

SISA's Webinar on New Guidelines from PCI Council on Risk Assessment

  • 1. SISA Monthly Webinar – January 2013 www.sisainfosec.com Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 2. Housekeeping • Questions are welcome at all times during the webinar. • Please type into the chat window. Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 3. Introductions Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 4. About SISA Customers in 25 Countries Services – Training –Products •SISA Information Security Inc., Americas •SISA Information Security Pvt Ltd, Asia •SISA Information Security WLL, EMEA Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 5. About SISA Consulting Training Products •CPISI – PCI DSS PCI DSS Implementation •SMART-RA.COM – Formal •PCI QSA Validation Services Risk Assessment tool (PCI-DSS) •CISRA – Risk Assessment •PCI ASV Scanning Services Implementation (PCI-DSS) •PCI Assurance Services (SAQ) •OCTAVE (SEI-CMU) Security PA DSS Risk Assessment Workshop •PA QSA Validation Services (PA-DSS) •ISO 27001 Implementation Advisory Workshop •Risk Assessment (IS-RA) •Privacy and Standards •Business Continuity Compliance (ISO 27001, Management Workshop GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Secure Coding in Dot-Net •Application Pen Test and Code Review •Awareness Sessions •Network VA and Pen Test •Forensics Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 6. About Dharshan DHARSHAN SHANTHAMURTHY • CEO, SISA Information Security • Proposer and Lead - Special Interest Group on Risk Assessment with the PCI Council • Dharshan has been a lead trainer for over 125 information security workshops on varied topics including, Data Protection, Compliance, Risk Assessment and Application Security • Dharshan has been an evangelist of formal risk assessment and has developed a free formal risk assessment tool www.smart- ra.com. • Linkedin: http://www.linkedin.com/in/dharshanshanthamurthy Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 7. SISA and the Risk Assessment SIG • Special Interest Groups (SIG) at the PCI Council • SISA’s role in the Risk Assessment SIG • Drafting the Risk Assessment Guidelines Document Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 8. Intent of the Guidelines Document • Objective – Supplementary Guidance for Requirement 12.1.2 – Does not replace any PCI DSS requirement • Target Audience – Any organization that stores, processes, transmits CHD – Eg. Merchants, Service Providers, Banks, Issuers Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 9. Risk Assessment and PCI Compliance Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 10. Understanding Risk Risk is a consideration Who of the who, how and why of things going wrong. • Who – Asset Risk • How – Threat • Why – Vulnerability Why How • Some Definitions • Risk = LHOT x Impact • Risk = f (AV, LHOT, LOV) Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 11. Formal Risk Assessment • Formal: A measurable and comparable methodology • Structured: following a defined and approved process. • PCI DSS names the following: ISO 27005, NIST SP 800-30, OCTAVE Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 12. Requirement 12.1.2 Requirement 12.1.2 mandates formal risk assessment on an annual basis. But •What is the actual intent behind this requirement? •Can risk assessment help simplify compliance? Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 13. Benefits of Risk Assessment •Identify areas where stored CHD is not fundamental to PCI Scope business and can be removed Reduction •Segmentation of sensitive CDE from non-sensitive parts of the network Proactive •Keep pace with changing business environment and Threat identify new threats Identification •Make decisions on future resource investments Prioritized •Most critical risks are addressed first Mitigation Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 14. Risk Assessment and the Prioritized Approach • PCI DSS Prioritized Approach – A series of 6 Milestones to help organizations pursuing PCI compliance for the first time – Also relevant to PCI re-certifications, as business landscapes are subject to change over the year • Milestone 1 – a formal risk assessment process is to be implemented to identify threats and vulnerabilities Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 15. Continuous Risk Assessment • Keep up with changing business landscape – New business processes, departments – Acquisitions and mergers – New ventures • Accurate Identification of Entities – Since data is appended to the RA as and when it is available, the identification phase of the RA is done accurately. Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 16. Implementation Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 17. Choosing the right RA Methodology • Widely Accepted ISO Methodology 27005 • Technology, People and Process RA NIST SP • Most suited for Technology RA 800 30 • Aligned with (Rev 1) Common Criteria • 8 processes • Most suited for OCTAVE process RA • Based on people’s knowledge Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 18. Implementation: Team Building Representatives from all departments • HR, Marketing, IT, Information Security, etc. Led by a person with knowledge on • PCI DSS • Risk assessment methodology used by the organization Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 19. Implementation: Risk Identification Context Establishment • Organizational Hierarchy, business processes, CHD flow. Asset Identification • Asset Owner, Asset Value must be identified • All Payment Channels must be taken as assets Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 20. Implementation: Risk Identification Threat Identification • Different Perspectives must be taken into account • Measurement: Capability, Intent, Relevance, Likelihood of Occurrence, Impact. Vulnerability Identification • Organizational Vulnerabilities: Policy-Procedure review • Technical Vulnerabilities: VA-PT, firewall rule review, secure code review Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 21. Implementation: Risk Profiling Risk Treatment • Reduction Threat • Transference •Avoidance •Acceptance Asset Risk Evaluation •Quantitative •Qualitative Vulner Risk ability Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 22. Third Party Risks • Third Parties may be Service providers, BPOs, Third Party Merchants, etc. • Eg. Application developers, Data center providers, Web hosting providers, etc. • Third Parties may • Introduce Risk • Manage Risk • Share Risk Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 23. Reporting • Version History • Executive Summary Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 24. Critical Success Factors • Correct Identification • Proactive Approach • Keep it Simple • Training Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 25. Next Webinar • Practical Implementation of Formal Risk Assessment (for PCI, HIPAA, ISO 27001) (Based on the theoretical concepts covered in today’s webinar) • Date: 5th February, 2012 • 9:00 to 10:00 am PST Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 26. Questions Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com
  • 27. Thank You Please send us your feedback to praveen.v@sisainfosec.com Presented by www.sisainfosec.com and Free Formal Risk Assessment tool www.smart-ra.com