PCI’s New Risk Assessment Guidelines: Will You Pass?

March 26, 2013

About Your Presenter

• Stephen Marchewitz

• President at SecureState LLC

• Advisory Services Sr. Consultant

• M.B.A. Case Western Reserve

University – Management

Information Systems and Finance

• Previous speaking engagements include:

– How to Be a CISO

– Aligning Security Risk with Enterprise Risk

– Anatomy of a Security Breach

– I Just Failed My PCI Audit Now What?

2

About Your Presenter

• Matt Neely (CISSP, CTGA)

• Director of Research, Innovation and

Strategic Initiatives at SecureState

• Team focuses on understanding

clients’ business needs and solving

complex security problems, mainly

focused on emerging threats and technologies

• Over 12 years of experience working in the security industry

3

Who is SecureState? A Management Consulting Firm Specializing in Information Security

• Founded in September 2001

• Department of Defense Contractor

• International Footprint

• Practices include:

– Advisory Services

– Audit & Compliance

– Incident Response

– Profiling & Penetration

– Risk Management

4

Agenda

• Analysis of New PCI-DSS Risk Assessment Guidelines

• Three Questions to Ask When Choosing or Creating a Risk Assessment

– Do we need to do this and when?

– Which risk management framework is best for me?

– How do I measure risk for my organization?

• Three Alternative Strategies to Satisfy the 12.1.2 Requirements and SIG Guidelines

• Live Q&A

5

Introduction to the

PCI DSS Risk Assessment Guidelines

6

Special Interest Working Groups

• PCI Risk Assessment SIG was formed in 2012

– Goal: Provide guidance on performing risk

assessments in accordance with PCI DSS

Requirement 12.1.2

• November 16, 2012 the Risk Assessment SIG

released the “PCI DSS Risk Assessment Guidelines

Information Supplement Version 1”

7

Why the Change?

8

Only 3% of risk assessments meet

new PCI guidelines

PCI DSS Requirement 12.1.2

9

Primary Purpose of 12.1.2

• Determine what additional controls are needed

– “Risk assessments provide valuable information to

help organizations determine what additional

controls are necessary to protect their sensitive

data and other assets” – Page 4

• Create a prioritized risk mitigation plan

10

Can I used the risk assessment to remove or

limit which controls in the PCI DSS apply to

my environment?

11

Common Questions

No

12

Two Questions Everyone Asks

When do the guidelines go into effect?

Already in Effect Can I get that yesterday?

If these guidelines are not met how will

this impact my PCI compliance?

It depends Ask your QSA

Scope of Risk Assessment

“People, processes and technology that are involved in the storage,

processing or transmission of CHD including those that may not be

directly involved in the processing of CHD but still have the potential

to impact the security of the CDE” – Page 4

• Not limited to the PCI Zone/Cardholder Data Environment (CDE)

• Anything that could impact the

security of Cardholder Data

(CHD)

• Must include third-parties who

handle PCI functions

13

Methodologies Specifically Mentioned by the SIG

• ISO 27005

• NIST SP 800-30

• OCTAVE

• FAIR

• AS/NZS 4360

• Guidelines do not require using one of the above frameworks as long as they meet the guidelines outlined by the SIG

14

SIG Guidelines

15

16

SIG Guidelines on Assets Inventory

• General Assets – Anything of value to an organization

• PCI Risk Assessment Assets – People, processes or technologies that are involved in the processing, storage or transmission and protection of CHD or the CDE

– Must cover all payment channels

– Includes assets which directly and indirectly impact the security of CHD or the CDE

• Recommended:

– Identifying asset owners

– Assigning asset values

17

SIG Guidelines on Threat

• People, the systems they use, and conditions that could cause harm to an organization

• Common measures:

– Capability of threat agents

– Relevance to the organization

– Likelihood that a threat occurs

– Potential adverse impact

18

SIG Guidelines on Vulnerability

• A vulnerability is a weakness that can be exploited

by a threat

• Must include vulnerabilities in technology,

organizations, environments and business processes

19

SIG Guidelines on Controls

• Controls prevent a threat from

acting on a vulnerability or lessen

the impact of a threat acting on

a vulnerability

• Identify existing controls

• Measure effectiveness of the

controls

20

SIG Guidelines on Risk Estimation

• Goal: Determine significance of risk in order to prioritize

mitigation efforts

• Can use quantitative or qualitative risk

analysis or a mixture of both

• Example risk measurement

methodologies are FAIR,

iRisk and OCTAVE

21

SIG Guidelines on Risk Treatment

• Goal: Identify how to decrease identified risks to acceptable levels

• Four Ways to Treat Risk

– Risk reduction

– Risk sharing/transference

– Risk avoidance

– Risk acceptance

• “A risk assessment cannot results in the acceptance, transferring, or sharing of any risk that will result in the failure to comply with any applicable PCI DSS requirement” – Page 15

22

Third Party Providers

• Contract language often transfers risk to third parties

– Example: Hosting provider is responsible for physical

security of the servers

• Often times the entire risk cannot be transferred

– Example: Reputational risk

• Important to take this into account when developing risk

treatment plans

23

Reporting Results

• Each risk assessment must have the results captured

in a written report

• Generate a prioritized risk

mitigation plan

24

Three Risk Assessment Options

to Meet SIG Guidelines

25

Finding a Good Fit

• Define context of the risk assessment

• Pick a framework

• Choose a taxonomy

26

Context

• What are the aims and objectives of the risk assessment?

– Broad scope focused on operational risk, including info security

– Info security risks

– Only PCI compliance

27

Framework

• Find a framework that works well with your

organization

• Examples:

– ISO 27005

– ISO 31000

– NIST SP 800-30

– OCTAVE

28

ISO 27005

29

Choose a Risk Scoring Taxonomy

Are you looking at risk from a

top-down or a bottom-up

perspective?

30

Top-Down - FAIR

• Factor Analysis of Information Risk (FAIR)

• Scenario-based risk assessment based on interviews

of subject matter experts and supporting data

• Adopted by The Open Group for IT risk management

framework

31

Bottom-Up - iRisk

• Info security risks

• Open source and

community driven

project managed

by SecureState

• Focused on simplicity and being implementable

• Designed to use the data most security professionals

already have or can easily gather

32

Three Options

Context Framework Taxonomy Differences

Information Risk Management Program

Info Risks ISO 27005 or ISO 31000

FAIR (Top-Down)

• Business process mappings • Aligns well with business • Can expand to operations • Existing software to assist in

analysis

Info Security Risk Management

Info Security Risks

ISO 27005 iRisk (Bottom-Up)

• Business process mappings • Useful for security • Risk management program

PCI Risk Assessment

Only PCI Compliance

Parts of ISO 27005

iRisk (Bottom-Up)

• Assessment review program • Create asset inventory based

on PCI guidelines • Can use existing data, often

easier to re-gather • Cuts corners to reduce costs

33

Summary • PCI Risk Assessment SIG released guidelines on performing PCI Risk

Assessments that meet PCI DSS requirements 12.1.2

• Results of a risk assessment cannot be used to remove applicable PCI

DSS requirements

• Scope of PCI Risk Assessments are not limited to the PCI Zone or CDE

– Instead anything that could directly or indirectly impact the security

of CHD is in scope

• Ensure the risk assessment you are using for PCI compliance meets the

guidelines outlined by the SIG

• Define the risk assessment context, framework and taxonomy to

determine which option fits best for your organization

• Consult your QSA if you have questions 34

Thank you for your time!

Matt Neely

mneely@securestate.com

Q U E S T I O N S A N S W E R S

35

Stephen Marchewitz

smarchewitz@securestate.com

Additional Information

• PCI DSS Risk Assessment Guidelines -

https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Ass

mt_Guidelines_v1.pdf

• Minimum Requirements for a PCI-DSS Risk Assessment -

http://blog.securestate.com/minimum-requirements-for-a-pci-dss-

risk-assessment/

• PCI Risk Analysis: Answering Risk Estimation for ISO 27005 -

http://blog.securestate.com/pci-risk-analysis-answering-risk-

estimation-for-iso-27005/

• iRisk - http://community.securestate.com/

• FAIR - http://www.cxoware.com/what-is-fair/

• Software to Assist with FAIR Analysis - FAIRiq -

http://www.cxoware.com/software/

• The Open Group RiskIT framework -

http://www.opengroup.org/bookstore/catalog/c081.htm

36