pci’s new risk assessment guidelines: will you pass? … pci risk assessment 3-26-1… · pci’s...
TRANSCRIPT
About Your Presenter
• Stephen Marchewitz
• President at SecureState LLC
• Advisory Services Sr. Consultant
• M.B.A. Case Western Reserve
University – Management
Information Systems and Finance
• Previous speaking engagements include:
– How to Be a CISO
– Aligning Security Risk with Enterprise Risk
– Anatomy of a Security Breach
– I Just Failed My PCI Audit Now What?
2
About Your Presenter
• Matt Neely (CISSP, CTGA)
• Director of Research, Innovation and
Strategic Initiatives at SecureState
• Team focuses on understanding
clients’ business needs and solving
complex security problems, mainly
focused on emerging threats and technologies
• Over 12 years of experience working in the security industry
3
Who is SecureState? A Management Consulting Firm Specializing in Information Security
• Founded in September 2001
• Department of Defense Contractor
• International Footprint
• Practices include:
– Advisory Services
– Audit & Compliance
– Incident Response
– Profiling & Penetration
– Risk Management
4
Agenda
• Analysis of New PCI-DSS Risk Assessment Guidelines
• Three Questions to Ask When Choosing or Creating a Risk Assessment
– Do we need to do this and when?
– Which risk management framework is best for me?
– How do I measure risk for my organization?
• Three Alternative Strategies to Satisfy the 12.1.2 Requirements and SIG Guidelines
• Live Q&A
5
Special Interest Working Groups
• PCI Risk Assessment SIG was formed in 2012
– Goal: Provide guidance on performing risk
assessments in accordance with PCI DSS
Requirement 12.1.2
• November 16, 2012 the Risk Assessment SIG
released the “PCI DSS Risk Assessment Guidelines
Information Supplement Version 1”
7
Primary Purpose of 12.1.2
• Determine what additional controls are needed
– “Risk assessments provide valuable information to
help organizations determine what additional
controls are necessary to protect their sensitive
data and other assets” – Page 4
• Create a prioritized risk mitigation plan
10
Can I used the risk assessment to remove or
limit which controls in the PCI DSS apply to
my environment?
11
Common Questions
No
12
Two Questions Everyone Asks
When do the guidelines go into effect?
Already in Effect Can I get that yesterday?
If these guidelines are not met how will
this impact my PCI compliance?
It depends Ask your QSA
Scope of Risk Assessment
“People, processes and technology that are involved in the storage,
processing or transmission of CHD including those that may not be
directly involved in the processing of CHD but still have the potential
to impact the security of the CDE” – Page 4
• Not limited to the PCI Zone/Cardholder Data Environment (CDE)
• Anything that could impact the
security of Cardholder Data
(CHD)
• Must include third-parties who
handle PCI functions
13
Methodologies Specifically Mentioned by the SIG
• ISO 27005
• NIST SP 800-30
• OCTAVE
• FAIR
• AS/NZS 4360
• Guidelines do not require using one of the above frameworks as long as they meet the guidelines outlined by the SIG
14
SIG Guidelines on Assets Inventory
• General Assets – Anything of value to an organization
• PCI Risk Assessment Assets – People, processes or technologies that are involved in the processing, storage or transmission and protection of CHD or the CDE
– Must cover all payment channels
– Includes assets which directly and indirectly impact the security of CHD or the CDE
• Recommended:
– Identifying asset owners
– Assigning asset values
17
SIG Guidelines on Threat
• People, the systems they use, and conditions that could cause harm to an organization
• Common measures:
– Capability of threat agents
– Relevance to the organization
– Likelihood that a threat occurs
– Potential adverse impact
18
SIG Guidelines on Vulnerability
• A vulnerability is a weakness that can be exploited
by a threat
• Must include vulnerabilities in technology,
organizations, environments and business processes
19
SIG Guidelines on Controls
• Controls prevent a threat from
acting on a vulnerability or lessen
the impact of a threat acting on
a vulnerability
• Identify existing controls
• Measure effectiveness of the
controls
20
SIG Guidelines on Risk Estimation
• Goal: Determine significance of risk in order to prioritize
mitigation efforts
• Can use quantitative or qualitative risk
analysis or a mixture of both
• Example risk measurement
methodologies are FAIR,
iRisk and OCTAVE
21
SIG Guidelines on Risk Treatment
• Goal: Identify how to decrease identified risks to acceptable levels
• Four Ways to Treat Risk
– Risk reduction
– Risk sharing/transference
– Risk avoidance
– Risk acceptance
• “A risk assessment cannot results in the acceptance, transferring, or sharing of any risk that will result in the failure to comply with any applicable PCI DSS requirement” – Page 15
22
Third Party Providers
• Contract language often transfers risk to third parties
– Example: Hosting provider is responsible for physical
security of the servers
• Often times the entire risk cannot be transferred
– Example: Reputational risk
• Important to take this into account when developing risk
treatment plans
23
Reporting Results
• Each risk assessment must have the results captured
in a written report
• Generate a prioritized risk
mitigation plan
24
Finding a Good Fit
• Define context of the risk assessment
• Pick a framework
• Choose a taxonomy
26
Context
• What are the aims and objectives of the risk assessment?
– Broad scope focused on operational risk, including info security
– Info security risks
– Only PCI compliance
27
Framework
• Find a framework that works well with your
organization
• Examples:
– ISO 27005
– ISO 31000
– NIST SP 800-30
– OCTAVE
28
Choose a Risk Scoring Taxonomy
Are you looking at risk from a
top-down or a bottom-up
perspective?
30
Top-Down - FAIR
• Factor Analysis of Information Risk (FAIR)
• Scenario-based risk assessment based on interviews
of subject matter experts and supporting data
• Adopted by The Open Group for IT risk management
framework
31
Bottom-Up - iRisk
• Info security risks
• Open source and
community driven
project managed
by SecureState
• Focused on simplicity and being implementable
• Designed to use the data most security professionals
already have or can easily gather
32
Three Options
Context Framework Taxonomy Differences
Information Risk Management Program
Info Risks ISO 27005 or ISO 31000
FAIR (Top-Down)
• Business process mappings • Aligns well with business • Can expand to operations • Existing software to assist in
analysis
Info Security Risk Management
Info Security Risks
ISO 27005 iRisk (Bottom-Up)
• Business process mappings • Useful for security • Risk management program
PCI Risk Assessment
Only PCI Compliance
Parts of ISO 27005
iRisk (Bottom-Up)
• Assessment review program • Create asset inventory based
on PCI guidelines • Can use existing data, often
easier to re-gather • Cuts corners to reduce costs
33
Summary • PCI Risk Assessment SIG released guidelines on performing PCI Risk
Assessments that meet PCI DSS requirements 12.1.2
• Results of a risk assessment cannot be used to remove applicable PCI
DSS requirements
• Scope of PCI Risk Assessments are not limited to the PCI Zone or CDE
– Instead anything that could directly or indirectly impact the security
of CHD is in scope
• Ensure the risk assessment you are using for PCI compliance meets the
guidelines outlined by the SIG
• Define the risk assessment context, framework and taxonomy to
determine which option fits best for your organization
• Consult your QSA if you have questions 34
Thank you for your time!
Matt Neely
Q U E S T I O N S A N S W E R S
35
Stephen Marchewitz
Additional Information
• PCI DSS Risk Assessment Guidelines -
https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Ass
mt_Guidelines_v1.pdf
• Minimum Requirements for a PCI-DSS Risk Assessment -
http://blog.securestate.com/minimum-requirements-for-a-pci-dss-
risk-assessment/
• PCI Risk Analysis: Answering Risk Estimation for ISO 27005 -
http://blog.securestate.com/pci-risk-analysis-answering-risk-
estimation-for-iso-27005/
• iRisk - http://community.securestate.com/
• FAIR - http://www.cxoware.com/what-is-fair/
• Software to Assist with FAIR Analysis - FAIRiq -
http://www.cxoware.com/software/
• The Open Group RiskIT framework -
http://www.opengroup.org/bookstore/catalog/c081.htm
36