Upload File

webinar excerpts: how to do a formal risk assessment as per pci requirement 12.1.2

  • Home
  • Economy & Finance
  • Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2
19
SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries. SISA Information Security is part of SISA Worldwide smart-ra.com Risk Assessment for PCI 12.1.2 How To Do A Formal Risk Assessment as per PCI Requirement 12.1.2 (Version 2.0)

Upload: smart-assessment

Post on 06-May-2015

3.666 views

Category:

Economy & Finance


1 download

Report

Tags:

DESCRIPTION

Webinar Excerpts: How to do a formal Risk Assessment as per PCI Requirement 12.1.2

TRANSCRIPT

Page 1: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries.

SISA Information Security is part of SISA Worldwide

smart-ra.com

Risk Assessment for PCI 12.1.2

How To Do A Formal Risk Assessment as per PCI Requirement

12.1.2 (Version 2.0)

Page 2: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Agenda

• Understand Requirement 12.1.2 of PCI (Version 2.0)

• Overview of the Methodologies – ISO 27005, OCTAVE andNIST SP 800-30

• How to do a formal Risk Assessment as per 12.1.2 of PCI

• Case Study Walkthrough

smart-ra.com

Page 3: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Requirement 12.1.2Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology.

“Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.(Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)”

smart-ra.com

Page 4: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

What is a Formal, Structured Methodology?

• Formal => A measurable and comparable methodology

• Structured => following a defined and approved process.

• PCI 2.0 names the following risk assessment methodologies:

- ISO 27005- NIST SP 800-30- OCTAVE

smart-ra.com

Page 5: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

ISO 27005

smart-ra.comSource: ISO 27005 Risk Management Standard

Page 6: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

OCTAVE

smart-ra.com

Source: OCTAVE Risk Assessment Methodology

Page 7: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

NIST SP 800-30

smart-ra.com

Source: Risk Management Guide for IT Systems - NIST

Page 8: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Common Risk Assessment Flow

Risk Treatment

Risk Analysis: Risk Identification

Risk Analysis: Risk Estimation and

Evaluation

General Description of

ISRA

smart-ra.com

Risk Profiling

Threat

Vulnerabilities

Scope

Asset

Results Documentation

Risk Treatment Plan

Page 9: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Scope

Physical Location – building, room, etc.Data CenterBusiness ProcessBusiness Division

smart-ra.com

Risk Profiling

Threat

Vulnerabilities

Scope

Asset

Results Documentation

Risk Treatment Plan

Page 10: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Asset Review

smart-ra.com

Cardholder DataSensitive Authentication DataIVRWeb Payments (Merchants)Customer Services –Call Centers

Risk Profiling

Vulnerabilities

Scope

Results Documentation

Risk Treatment Plan

Threat

Asset

Page 11: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Threat Review

smart-ra.com

Hacker exploits insecure communication channels to POSTheft /destruction of media or documentsCorruption of dataCSRF AttackRisk Profiling

Vulnerabilities

Scope

Results Documentation

Risk Treatment Plan

Asset

Threat

Page 12: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Vulnerability Review

smart-ra.com

Employee DisclosureSensitive authentication data is stored unencryptedNo quarterly review of firewall rulesXSS Vulnerability

Risk Profiling

Threat

Scope

Results Documentation

Risk Treatment Plan

Asset

Vulnerabilities

Page 13: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Risk Profiling

smart-ra.com

Risk Score = f( Asset Value, LHOT, LOV)

•Calculated after taking Risk Evaluation and Risk Acceptance Criteria into account

Revised Risk Score = Risk Score after

•Evaluating Existing Controls•Applying New Controls

Vulnerabilities

Threat

Scope

Results Documentation

Risk Treatment Plan

Asset

Risk Profiling

Page 14: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Risk Treatment Plan

smart-ra.com

Vulnerabilities

Threat

Scope

Results Documentation

Risk Profiling

Asset

Risk Treatment Plan

Treat/Tolerate/Terminate/Transfer

Take Action if Treat/Transfer

Take Approval if Tolerate/Terminate

Page 15: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Results Documentation

smart-ra.com

Vulnerabilities

Threat

Scope

Risk Profiling

Risk Treatment Plan

Asset

Results Documentation

Document A-T-V Combination with the associated Risk

Calculation of Risk

RTP

Action Taken

Page 16: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

• Company Background – Wise Bank

• PCI Related Environment – Payment Channels include:

i. Online storeii. Retail outletsiii. Self service kiosksiv. Payments over mobilev. Drop Boxesvi. Call Center

Case Study

smart-ra.com

Page 17: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Example for 1 ‘A-T-V’

Asset Name Threats Vulnerabilities RiskOnline Payment Process

Supporting Assets:Apache Web ServerEOS App ServerOracle 10G DB

Insider Sniffing the traffic

Threat PropertiesInsider –Deliberate

LHOT: High

App Server to Database Server is in clear.

LOV: Medium

High

High

RTP Action

Treat Use OpenSSL to encrypt traffic from App Server to Database Server

smart-ra.com

Page 18: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Results Documentation

smart-ra.com

Source : SMART-RA for PCI (v4.8.2)

Page 19: Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2

Questions?

• Join IS-RA Group on Linkedin.

• Personal Edition of SMART-RA is free.Sign up on smart-ra.com

Dharshan (Dash)Email: [email protected]

smart-ra.com


PCI Express to PCI/PCI-X Bridge Specification Revision 1djm202/pdf/...pci express to pci/pci-x bridge specification, rev. 1.0 r (r r r r) ) equirements of of pci-

The Periodic Table and Trends Topics 3.1 - 3.3 and 12.1.1 - 12.1.2

Identity Propagation for REST using OWSM 12.1.2

NI 651x User Manual · daq ni 651x user manual ni pci-6510, pci-6511, pxi-6511, pci-6512, pxi-6512, pci-6513, pxi-6513, pci-6514, pxi-6514, pci-6515, pxi-6515, pci-6516, pci-6517,

Festival & Sinfonia Orchestral Excerpts – Celloalabamaorchestraassociation.org/excerpts/lacrimoso/2021... · 2020. 8. 6. · Festival & Sinfonia Orchestral Excerpts – Cello *Please

TRIANGLES_EXCLUSIVE EXCERPTS

Excerpts Oboe

Orchestral Excerpts

Festival & Sinfonia Orchestral Excerpts – Violaalabamaorchestraassociation.org/excerpts/lacrimoso/...Excerpts-VIOLA.… · Joseph Lee, Vice President ... Festival & Sinfonia Orchestral

Securing REST using Oracle WebService Manager 12.1.2 July 2013

PC12 Doc. 12.1.2 OF WILD FAUNA AND FLORA · PC12 Doc. 12.1.2 – p. 1 PC12 Doc. 12.1.2 CONVENTION ON INTERNATIONAL TRADE IN ENDANGERED SPECIES OF WILD FAUNA AND FLORA _____ Twelfth

Excerpts 001

Vanguard PCI/PCI-X - mish.co.jp · VANGUARD PCI/PCI-X Bus Analyzer and Exerciser The BusView GUI Introduction THE MOST ADVANCED TOOL FOR PCI-X AND PCI DEBUGGING The Vanguard PCI family

Coherence 12.1.2 Live Events

Frug Excerpts

12.1 AGRICULTURE (A1) ZONE 12.1.1 PERMITTED USES 12.1.2

Bank tansfer setup 12.1.2

Material PG3 Description - extra1367303 12.1.2 Bosch Motor de Arranque HCV 1368017 12.1.2 Bosch Motor de Arranque HCV 1368309 12.1.2 Bosch Motor de Arranque HCV 120469024 12.2.2 Bosch

PCI & PCI-E

Financial Indicators & Trading as 12.1.3 12.1.1 12.1.2

Executive Summary - PEI · VM1 VM2 VM3 VM4 PCI PCI PCI PCI PCI PCI PCI PCI VM1 VM2 3 The Future of Network Security: Cisco’s SecureX Architecture 4 Data center environmental changes

2018-10-18 principal piccolo - AUDITION With Us/Excerpts... · Principal piccolo Orchestral excerpts including flute excerpts Thursday 18 October 2018 Flute and doubling excerpts

10 Things You Should Know About WebLogic 12.1.2

Oracle WebLogic Suite 12c (12.1.2) Technical White Paper

Personal Finances AS 12.1.3 12.1.2 12.1.1

Coherence 12.1.2 Hidden Gems

Grundfos MOG.12.1.2 pump : MOG.12.1.2 1x230V (97901126)€¦ · Rated speed: 2820 rpm Motor efficiency at full load: 73 % Number of poles: 2 Start. method: direct-on-line Enclosure

Process to install the Adobe Cloud at Home Adobe Cloud at Home.pdf · Premiere Pro 12.1.2 Animate 18.0.2 Prelude 7.1.1 Audition 11.1.1 Media Encoder 12.1.2 Char. Animation 1.5 Lightroom

Oracle WebLogic Suite 12c (12.1.2) Technical White Paper · Oracle WebLogic Suite 12.1.2 licenses can be extended with additional licenses for the Oracle Coherence Grid Edition Option,

Oracle WebLogic Suite 12c (12.1.2) Technical White Paper...Oracle WebLogic Suite 12.1.2 is a significant new release of the flagship edition of the Oracle WebLogic Server product line

Symantec Endpoint Protection 12.1.2 for Customer

Facilitated PCI & rescue PCI

PCI vs PCI express

Securing REST Clients using OWSM 12.1 - Oracle REST Clients using OWSM 12.1.2 2013 Securing REST Clients using ... Oracle Web Services Manager (OWSM) 12.1.2 ... Securing REST Clients

Oracle Web Service Manager 12.1.2 Installation July 2013