SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries.
SISA Information Security is part of SISA Worldwide
smart-ra.com
Risk Assessment for PCI 12.1.2
How To Do A Formal Risk Assessment as per PCI Requirement
12.1.2 (Version 2.0)
Agenda
• Understand Requirement 12.1.2 of PCI (Version 2.0)
• Overview of the Methodologies – ISO 27005, OCTAVE andNIST SP 800-30
• How to do a formal Risk Assessment as per 12.1.2 of PCI
• Case Study Walkthrough
smart-ra.com
Requirement 12.1.2Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology.
“Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.(Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)”
smart-ra.com
What is a Formal, Structured Methodology?
• Formal => A measurable and comparable methodology
• Structured => following a defined and approved process.
• PCI 2.0 names the following risk assessment methodologies:
- ISO 27005- NIST SP 800-30- OCTAVE
smart-ra.com
ISO 27005
smart-ra.comSource: ISO 27005 Risk Management Standard
OCTAVE
smart-ra.com
Source: OCTAVE Risk Assessment Methodology
NIST SP 800-30
smart-ra.com
Source: Risk Management Guide for IT Systems - NIST
Common Risk Assessment Flow
Risk Treatment
Risk Analysis: Risk Identification
Risk Analysis: Risk Estimation and
Evaluation
General Description of
ISRA
smart-ra.com
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
Scope
Physical Location – building, room, etc.Data CenterBusiness ProcessBusiness Division
smart-ra.com
Risk Profiling
Threat
Vulnerabilities
Scope
Asset
Results Documentation
Risk Treatment Plan
Asset Review
smart-ra.com
Cardholder DataSensitive Authentication DataIVRWeb Payments (Merchants)Customer Services –Call Centers
Risk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Threat
Asset
Threat Review
smart-ra.com
Hacker exploits insecure communication channels to POSTheft /destruction of media or documentsCorruption of dataCSRF AttackRisk Profiling
Vulnerabilities
Scope
Results Documentation
Risk Treatment Plan
Asset
Threat
Vulnerability Review
smart-ra.com
Employee DisclosureSensitive authentication data is stored unencryptedNo quarterly review of firewall rulesXSS Vulnerability
Risk Profiling
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Vulnerabilities
Risk Profiling
smart-ra.com
Risk Score = f( Asset Value, LHOT, LOV)
•Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account
Revised Risk Score = Risk Score after
•Evaluating Existing Controls•Applying New Controls
Vulnerabilities
Threat
Scope
Results Documentation
Risk Treatment Plan
Asset
Risk Profiling
Risk Treatment Plan
smart-ra.com
Vulnerabilities
Threat
Scope
Results Documentation
Risk Profiling
Asset
Risk Treatment Plan
Treat/Tolerate/Terminate/Transfer
Take Action if Treat/Transfer
Take Approval if Tolerate/Terminate
Results Documentation
smart-ra.com
Vulnerabilities
Threat
Scope
Risk Profiling
Risk Treatment Plan
Asset
Results Documentation
Document A-T-V Combination with the associated Risk
Calculation of Risk
RTP
Action Taken
• Company Background – Wise Bank
• PCI Related Environment – Payment Channels include:
i. Online storeii. Retail outletsiii. Self service kiosksiv. Payments over mobilev. Drop Boxesvi. Call Center
Case Study
smart-ra.com
Example for 1 ‘A-T-V’
Asset Name Threats Vulnerabilities RiskOnline Payment Process
Supporting Assets:Apache Web ServerEOS App ServerOracle 10G DB
Insider Sniffing the traffic
Threat PropertiesInsider –Deliberate
LHOT: High
App Server to Database Server is in clear.
LOV: Medium
High
High
RTP Action
Treat Use OpenSSL to encrypt traffic from App Server to Database Server
smart-ra.com
Results Documentation
smart-ra.com
Source : SMART-RA for PCI (v4.8.2)
Questions?
• Join IS-RA Group on Linkedin.
• Personal Edition of SMART-RA is free.Sign up on smart-ra.com
Dharshan (Dash)Email: [email protected]
smart-ra.com