SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries. SISA Information Security is part of SISA Worldwide smart-ra.com Risk Assessment for PCI 12.1.2 How To Do A Formal Risk Assessment as per PCI Requirement 12.1.2 (Version 2.0)
19
Embed
Webinar Excerpts: How to do a Formal Risk Assessment as per PCI Requirement 12.1.2
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SMART ® logo is the registered Trademark of SISA Information Security. SMART-RA.com is a patent pending product of SISA Information Security in 125 countries.
SISA Information Security is part of SISA Worldwide
smart-ra.com
Risk Assessment for PCI 12.1.2
How To Do A Formal Risk Assessment as per PCI Requirement
12.1.2 (Version 2.0)
Agenda
• Understand Requirement 12.1.2 of PCI (Version 2.0)
• Overview of the Methodologies – ISO 27005, OCTAVE andNIST SP 800-30
• How to do a formal Risk Assessment as per 12.1.2 of PCI
• Case Study Walkthrough
smart-ra.com
Requirement 12.1.2Requirement 12.1.2 emphasizes the need for a structured and formal risk assessment methodology.
“Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment.(Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)”
smart-ra.com
What is a Formal, Structured Methodology?
• Formal => A measurable and comparable methodology
• Structured => following a defined and approved process.
• PCI 2.0 names the following risk assessment methodologies:
- ISO 27005- NIST SP 800-30- OCTAVE
smart-ra.com
ISO 27005
smart-ra.comSource: ISO 27005 Risk Management Standard
OCTAVE
smart-ra.com
Source: OCTAVE Risk Assessment Methodology
NIST SP 800-30
smart-ra.com
Source: Risk Management Guide for IT Systems - NIST