Risk Reporter User Manual
Contents
1. k qeti LA 2 m E k N L 1 ia e em k br x i a We une eo m a a E C k q an d e L TIT Fo j F 1 i i i Hi III HU WI III I of gt LI Risk Reporter User Manual Risk Reporter for PCI ACR 2 Solutions RISK ASSESSMENT PCI User Manual v1 The information in this document 15 subject to change without notice No part of this publication may be reproduced stored translated or transmitted in any form or by any means electronic mechanical manual optical or otherwise without the prior written permission of ACR 2 Solutions Inc ACR and ACR2 are trademarks of ACR 2 Solutions Inc The names of other companies and products are used herein for informational purposes only and are the trademarks of their respective companies Risk Reporter for PCI Table of Contents 3 LI TYPOGRAPHICAL CONVENTIONS uuu 3 4 515 LOVER VIE Y u 4 3 IHERISKREPORTIER ASSESSMENT PROGCGESS ae aka nit 5 3 1 LE TIEL TT uu u u 5 2 2 ACCESSING THE RR WEBSITE U UU U U cra an a 5 3 3 A EEA Y2. 05 1210791952 Report Generated 14 2008 www riskreporterforfortinet info DaeofRepot o o o o o 14LMay 2008 Baseline Risk Score 100 Facility damage Loss of operations 90 5 Damaze to building Facility damage Data acquisition Data storage 25 3 Tw 5 n Symbol Threat Source Vulnerability 4 Human error Data modification i Human etror Data transmission 0 Human error System design 00 7 Human error Procedure implementation 00 Human error Internal controls MIT Malicious insider Data acquisition 33 Malicious insider 15 Malicious insider Data retrieval Malicious insider 100 115 Data transmission System design 0 rocedure implementation Ialicious insider lutemalcontos 100 25 75 Talicious outsider Data storage 1 1311010112 el Data retrieval alicious Outsider Data mocdir cation Talacious outsider Data transmission dalicious outside system des 1 2 Talicious cutsid 1811212115 J Jl 7 1 t th EGIL i Update Report Risk Reporter for PCI Risk Assessment Chart Risk Assessment Number 10 13 05 1223599224 Report Generated November 03 2008 www acr2solutions com EU TT ZIIIs aaa HE HE4 HE6 MITI MIS M
3. Manis t Request a Copy of a Previously Issued Assessment Log Out Show Report History Gap Report may take some time to load Account Settings Logout Figure 3 5 Main Menu When you are ready to begin an assessment return to the Main Menu and click the Start a New Baseline Assessment line The Baseline is the first risk assessment of a calendar year all updated assessments will be compared to this assessment Before you can enter data you must read and accept the Disclaimer shown in Figure 3 6 RR is a repackaging of PCI DSS and or NIST protocols and is offered in good faith but control over data entry is the responsibility of users no warranty is offered or possible START ASSESSMENT By filling in the following forms you will complete the information required for your risk assesment Risk Assessment ID 11 10 08 1226334029 The ACR 2 Solutions Risk Reporter System was developed in partnership with ACR 2 Solutions Inc and is intended to assist our customers with their legal obligations to safeguard non public personal information obtained by them from their own customers under federal law Use of this website and the ACR 2 Solutions Risk Reporter System constitutes the acknowledgment by our Customers that they are responsible for creating and maintaining an adequate safeguard system for protecting their customer s private identity information Proper use of this website by our Customers should help ease our Customers burdens in maintaining
4. the risk engine along with updated Scan IPS and AV data This cycle can be done as often as daily with reports on demand The risk management process is an ongoing cycle that will continue as long as the organization remains in operation 4 1 Creating an Action Plan Following the review and acceptance of these risk reports by management it 15 necessary to create an action plan The plan should prioritize the needed safeguards in order to increase or maintain compliance with information security regulations You may find the PCI Inventory Report and PCI Gap report accessible from the Main Menu useful for quickly determining which areas are in need of improvement The Inventory Report provides a summary of every answer inputted for the most recent assessment while the Gap Report shows which safeguards negatively affected the assessment Once you have identified the needed safeguards they can be listed using data from the Deficiency Report Key in Appendix B In most cases the Action Plan will address upgrades in order of cost and convenience Many changes are inexpensive and demonstrate progress to regulators without major cost but other changes may require capital planning before being phased in For example safeguard SI 5 Security Alerts and Advisories is easy to update A number of free websites can fill this need including several government sites such as Computer Emergency Readiness Team CERT On the other hand CP 2 which r
5. their safeguard systems but no website or program can substitute for actual compliance with applicable regulations ACR 2 Solutions and ACR 2 SOLUTIONS THEREFORE SPECIFICALLY DISCLAIMS THE ISSUANCE OF ANY WARRANTY OR GUARANTY OF ANY KIND TO OUR CUSTOMERS REGARDING THE ADEQUACY OF THEIR OWN SAFEGUARD SYSTEMS OR THEIR LEVEL OF COMPLIANCE WITH APPLICABLE REGULATIONS THE USE OF THIS WEBSITE AND THE ACR 2 SYSTEM CONSTITUTES THE AGREEMENT BY OUR CUSTOMERS THAT THEY ARE NOT LOOKING TO ACR FOR ANY LEGAL ADVICE REGARDING THE DEVELOPMENT IMPLEMENTATION OR MANAGEMENT OF THEIR OWN SYSTEM S DEVELOPED TO SAFEGUARD CUSTOMER INFORMATION OR TO OTHERWISE COMPLY WITH FEDERAL PRIVACY REGULATIONS We encourage our Customers to review for themselves the pertinent statutes and regulations and to consult with their own legal counsel to ensure their full compliance with Federal laws 2006 2008 ACR2 Solutions Inc All rights reserved No copyright claim on text from government sources No copyright claim on text from PCI SSC sources agree to the terms above Continue to Report entry Do Not Agree Exit System Figure 3 6 Disclaimer Click the I agree button to bring up the first data entry screen 3 3 Policy Questions The first questions section of the risk assessment pertains to the 203 questions in the 12 PCI security Requirements The second section is a series of potential compensating controls taken from the 170 Security Control
6. 14838933 Comp Comp R 10 2 M R 10 2 6 N R 10 2 7 N R 10 3 Y 10 3 1 N R 10 3 2 Y R 10 3 3 N R 10 3 4 Y R 10 3 5 Y 10 3 6 N R 10 4 M R 10 5 R 10 5 1 N R 10 5 2 N R 10 5 3 N R 10 5 4 N 10 5 5 Y R 10 6 Y R 10 7 Y R 11 1 Y R 11 2 N 11 3 Y 11 3 1 N Req Comp R 12 3 3 R 12 3 4 R 12 3 5 R 12 3 6 R 12 3 7 R 12 3 8 12 3 9 12 3 10 Y 124 N R 12 5 N R 12 5 1 N R 12 5 2 N 12 5 3 N R 12 5 4 N 12 5 5 Y 126 N R 12 6 1 Y R 12 6 2 Y R 12 7 Y R 12 8 N R 12 8 1 N R 12 8 2 N 12 3 N lt Z lt Welcome Main Menu Account Settings Overview Tutorial Manual Automated Compliance Reporting Not Just Secure Compliant Gap Report Risk Assessment Number 08 30 08 1214835533 Dynamically Generated June 30 2008 www astara com summary Below is a list of safeguards which negatively impacted this risk assessment Results are from the last finalized assessment Req ID ho 3 1 Description Solutions PC Ri 1 1 8 Establish firewall configuration standards that include the following Justification and documentation for amy available protocols besides hypertext transfer protocol HTTP and secure sockets layer SSL secure shell SSH and virtual private network VPN PCI R1 1 1 8 Establish firewall configuration stan
7. IS MIS iw MIT MO MO MO4 MOS 14065 O k iw s sk Cateoorv 10 20 30 40 A 60 70 80 on 100 Risk Score Chart Report Risk Reporter for PCI R 1 1 1 1 1 2 R 1 1 3 R 1 1 4 R 1 1 5 R 1 1 6 R 1 1 7 1 1 8 1 1 9 R12 Y R13 Y R 1 3 1 1 3 2 R 1 3 3 R 1 3 4 Y R 1 3 5 Y R 1 3 6 Y R 1 3 7 N R 1 3 8 Y 1 3 9 N R14 Y HR 1 41 Y R 142 Y lt 4 lt lt Reg Comp R 3 2 Y R 3 2 1 N R 3 2 2 Y R 3 2 3 Y R 3 3 R34 Y R 3 4 1 N HR 3 5 R 3 5 1 Y R 3 5 2 Y 3 6 N R 3 6 1 Y R 3 6 2 Y R363 R 3 6 4 Y R 3 6 5 WN R 3 6 6 Y R 3 6 7 Y R 3 6 8 N R 3 6 9 N R 3 5 10 Y R41 Y R4 1 1 Risk Reporter for PCI PCI Inventory Report R 6 3 5 N R 6 3 6 N R 6 3 7 Y R 56 4 N R64 1 R 64 2 N R 6 4 3 Y R 6 4 4 N R 6 5 N R 55 1 N R 6 5 2 N R 6 5 3 N R 6 5 4 R B 5 5 N R 6 5 6 Y R65 7 N R 6 5 8 Y R 6 5 9 Y R 6 5 10 Y RT 1 Y R I2 Y R 8 1 Y R 8 2 Y Inventory Report Reg Comp R 8 5 9 N R 8 5 10 R 6 5 11 R 6 5 12 R 6 5 13 R 8 5 14 R 6 5 15 R 6 5 16 R91 Y R9 1 1 R912 R 91 3 R92 N R53 Y R9831 N 932 933 94 R 9 5 2 6 2 7 R 2 1 Y R98 72 N lt Assessment id 06 30 08 12
8. Malicious Insider and Malicious Outsider Per the NIST 800 30 requirements risks categories are rated from 1 to 100 3 1 Collecting the Data To complete a risk assessment you will need familiarity with and access to The organization s Information Security Policy and Procedures Information about personnel with access to protected data The organization s most recent SCAP scan file 3 2 Accessing the RR Website Browse to http your_product_site Aks2 net as shown in Figure 3 1 Enter the case sensitive Username and Password Serial Number provided with the RR CD or in the welcome e mail then click the Login button Note For enhanced security risk assessment sessions will timeout after 24 minutes on a single screen Risk Reporter Account Login Username Password Login Forgot Password Forgot Username Figure 3 1 Login screen Upon logging in you will be directed to the Account Settings screen shown Figure 3 2 You must change your Username and Password before completing an assessment Because login information may be e mailed it is not secure and cannot be used for data entry You must also enter the email address at which you wish to receive the risk assessment reports Risk Reporter for PCI Important Information Any Changes will require your current password Changing your Username Password or E Mail address will additionally require you to re login Please Enter Your Password Curren
9. PCI R1 131 Yes PCI R1 132 Yes PCI R1 133 Yes PCI R1 134 Yes PCI R1 135 Yes R1 136 Yes Risk Reporter for PCI Figure 4 5 Report Detail In order to compare differences between assessments more easily you may also wish to view the reports that were generated from an earlier assessment From the Main Menu select Request a Copy of a Previous Assessment As shown in Figure 4 6 this will allow you to select an assessment and receive via locked PDF reports the reports it generated Risk Assessment ID Creation Date Completion Date 11 08 08 1226252817 Mov 09 2008 Nov 11 2008 11 11 08 1226424351 Mov 11 2008 Nov 12 2008 Figure 4 6 Request Report Copy Risk Reporter for PCI 5 Contact Information Thank you for your Interest Risk Reporter For general Information contact Sales E mail Sales acr2solutions com Phone 1 678 261 8181 5 1 Technical Support Technical support for RR is available 8 hours a day 5 days a week Please review the appropriate section of the manual before contacting technical support If the problem persists email support acr2solutions com When contacting support please have the following Information avallable The version of Risk Reporter software you are using The computer s browser and operating system version Risk Reporter for PCI Appendix A Sample Reports Automated Baseline Report Assessment Number 0 8 1215612424 Report Genera
10. ation appears in indented and in italic type Risk Reporter for PCI 2 Risk Management History Overview Risk assessment 15 process that was largely developed the environmental Industry the 1970s and involves review of vulnerabilities probability of damage and the impact of damage As the federal government and other regulators realized its enormous benefit of risk assessments they mandated organizations in more industries to conduct them In 2004 Visa MasterCard American Express and Discover combined resources to create a single PCI Data Security Standard DSS with the goal of helping organizations protect customer information safeguard transactions and conduct risk assessments to identify vulnerabilities The risk assessment process is continual details of the DSS requirements vary according to the size of the organization but In each case three steps are required 1 Risk Assessment 2 Safeguards Implementation based on the risk assessment 3 Vulnerability Assessment to measure the effectiveness of the Safeguard Implementation As of June 2007 the DSS applies to every organization that processes payment card information including merchants and third party service providers that store process or transmit payment card data Failure to comply with the Payment Card Industry security standards may result in heavy fines restrictions or permanent expulsion from card acceptance programs Other industries also d
11. ation of several accounts Administrative Scan Account The first risk assessment of a calendar year This contains a numerical scoring of risks Baseline Report to information security and availability future risk assessments will be compared to the Baseline report Chart Report A graphical color coded representation of the baseline or update risk scores Compensating controls may be considered when an entity cannot meet a requirement Compensating explicitly as stated due to legitimate technical or documented business constraints but Control has sufficiently mitigated the risk associated with the requirement through implementation of other controls Compliance Officer The individual responsible for conducting the risk assessment Deficiency Report A cross listing of missing or underperforming safeguards A business based framework for government wide improvement developed by the OMB It is intended to ease efforts to move the federal government toward becoming citizen centered results oriented and market based Federal Enterprise Architecture FEA A chart indicating gaps in security compliance This report specifies which R questions factors negatively impacted the Risk Assessment score Grou CEOs Managers etc who are responsible for maintaining security compliance p g p 5 y device used to connect multiple networking cables together to make them act as
12. control policy and associated access controls The access control policy and procedures are consistent with applicable federal laws directives policies regulations standards and guidance The access control policy can be included as art of the general information security policy for the organization Access control procedures can be developed for the security program in general and for a particular information system when required NIST Special Publication 800 12 provides guidance on security policies and procedures Figure 3 8 Sample Compensating Control Question After answering the last question in a section click the Save and Continue button to update the next data section This is a secure transmission and may take up to a minute to load do not press the button more than once To update a different data section use the navigation buttons or the pull down menu Note Using any navigation tool will result in the loss of data inputted into the section To save changes click the Save and Continue button Depending upon your familiarity with your organization s Information Security Policy and Procedures completing a risk assessment may take as few as three hours However assessments do not need to be completed in a single sitting To interrupt a data session use the Log Out line in the menu box of each data screen When you log back in an option to Find and Complete Assessments will appear in the Main Menu Selecting an incomplete a
13. dards that include the following Quarterly review of firewall and router rule sets R1 1 37 Build a firewall configuration that restricts connections between publicly accessible servers and amy system component storing cardholder data including any connections from wireless networks This firewall configuration should include the Following Denying all other inbound and outbound traffic not specifically allowed R1 1 33 Build a firewall configuration that restricts connections between publicly accessible servers and amy system component storing cardholder data including any connections from wireless networks This firewall configuration should include the Following Installing personal firewall software on amy mobile and employes cwned computers with direct connectivity to the Internet For example laptops used by employees which are used to access the organizations network RZ Z1 1 Change vendor supplied defaults For wireless environments change wireless vendor defaults including but not limited to wired equivalent privacy WEF keys default service set identifier SSID passwords and SNMP community strings Disable 5510 broadcasts Enable WiFi protected access NPA and WPAZ technology for encryption and authentication when WPA rapable R2 223 Develop configuration standards for all system components Configure system security parameters to prevent misuse PC RZ 224 Develop configuration standards for all system c
14. equires the creation of a NIST compliant Contingency Plan can be a major effort Once the action plan for red risks is in place implement a similar program for yellow risks Under NIST guidelines risks the yellow range need to be scheduled for remediation Again the fastest and least expensive rule of prioritization is a prudent use of limited corporate resources a weekly basis as new safeguards are implemented the risk assessment be updated with new reports At a minimum a monthly reassessment of risk is recommended and should be placed in the appropriate portion of the organization s Information Security Plan notebook Compliance regulators do not expect organizations to be perfectly secure However reasonable and appropriate progress is not only expected but required Periodic quantitative risk assessment reports can provide a low cost means of documenting the organization s compliance level Risk Reporter for PCI 4 2 Creating Update Report Creating an update report is easy Login to an account that has had a baseline report issued within the last 12 months and select Find and Complete Assessments as shown in Figure 4 1 Welcome Start a New Update Assessment Find Complete Assessments Serer Request a copy of previous assessment Tutorial Show Report History Manual 25 PCI Inventory Report Log Out Gap Report Account Settings Logout Figure 4 1 Main Menu As with the Baseli
15. eveloped standardized risk assessment requirements In 2002 the NIST produced a simplified risk assessment for use with sensitive but unclassified information These risk assessments are mandatory for organizations regulated under FISMA and are recommended for those regulated by GLBA and the Health Insurance Portability and Accountability Act HIPAA Risk Reporter assessment scores are calculated using the PCI DSS Requirement questions Compensating Control NIST Safeguard questions and UTM configuration scan data The risk management process continues to advance Policy data and safeguards installations change at a slow rate but network configurations may change daily and UTM data changes from minute to minute Automated risk assessments which automatically upload data from the UTM and network scans on a daily basis are now possible Policy changes may be added as they occur creating the near real time risk assessment that 15 the goal of NIST 800 39 the flagship document of the NIST 800 series 800 39 42 Risk Reporter for PCI 3 The Risk Reporter Assessment Process Risk Reporter risk assessment software utilizes information from an organization s existing Unified Threat Management UTM device Intrusion Prevention System IPS Anti Virus AV program and a detailed NIST policy questionnaire to produce a quantitative NIST compliant risk assessment AKS1 Assessed risk categories include Environmental Human Error
16. ganize safeguards which must be put into place or updated The risk assessment data will generate two reports a Baseline Report and a Chart Report These locked reports are e mailed to the account that was specified during the account creation process and require your account password to open Two additional reports the PCI Inventory Report and the PCI Gap Report accessible from the Main Menu are also generated Note Access to e mailed reports requires the installation of Adobe Acrobat Reader Version 6 0 or newer See Appendix A for report samples Risk Reporter for PCI 1 baseline pdf numerical scoring of risks to Information security and availability Risks are defined as threat source vulnerability combinations and are divided into 30 risk categories based the NIST protocols Risks range from E1 wind roof damage to MOS malicious outsider internal controls The Baseline Report is the first report generated in the year and cannot be altered future assessments will generate an Update Report update pdf When compared to update reports the Baseline enables you to determine the degree of change in the organization s risk scores 2 chart pdf a graphical color coded representation of the baseline or update risk scores Red yellow green coding indicates high medium and low risk status respectively 3 PCI Inventory Report an overview listing the answers to each question in the most recent risk assessment Info
17. i 7 3 4 Mn 3E ur 8 3 5 eerte 9 EA pidum s 9 SN 4 L PTE 5 10 5 APPLYING THE RISK ASSESSMENT ea o e artium n 12 4 1 CREATING AN ACTION PLAN a e a a 12 4 2 CREATING AN UPDATE REPORT 13 E INFORMA III m 16 51 TECHNICAL SUPPORT 2 a a a a a a aaa 16 APPENDIX A SAMPLE REPORTS 17 APPENDIX B DEFICIENCY REPORT KEY 22 wu SCOOT CLE aT 23 Risk Reporter for PCI 1 Introduction Risk Reporter is automated system designed to simplify the process of creating and updating risk assessments Risk assessment is the initial step required by most information security regulations including the Payment Card Industry Data Security Standard PCI DSS the Gramm Leach Bliley Act GLBA the Health Insurance Portability and Acc
18. ices before allowing a connection The computer system uses either something known such as TCP IP some other data transfer item or some standard validation Mo This is used to identify and validate devices on local or wide area networks Official Language SC 2 APPLICATION PARTITIONING The computer system separates user portions of the computer system from the management portions The computer system automatically separates user services such as public web pages from information storage and No 5 2 management services database management Suggestion Separation is accomplished by using different computers different central processing units different network addresses or a Yes combination of these Official Language SC 7 BOUNDARY PROTECTION The computer system watches and controls communications on its outside limits and key internal limits Any connections to the Internet or other external networks or systems are allowed only through controlled interfaces These can take the form of proxies gateways routers etc If outside limit protections fail there will not be illegal release of information outside the computer system e SC 7 Computer system protection at external limits located at any alternate processing site has the same protection as that of the main Figure 4 3 Suggested Changes Risk Reporter for PCI After you have generated a Baseline report the Main Menu option to Sh
19. ne report data entry sections begin after the disclaimer is accepted use the pull down menu to change the assessment as needed Once you have made any known changes check the Review page to determine if additional input is required From time to time the PCI DSS and NIST update the controls When that occurs you will see Questions not reviewed You must answer these questions before an update report can be issued Additionally because the security questions are interrelated RR software analyzes the changes made to data sections and recommends additional changes via a notification message on the review screen To view the suggested changes select Click Here as shown in Figure 4 2 Assessment ID 06 30 08 1214844355 PCI Requirements Status The PCI R1 section is complete The updates suggest you may now be fulfilling the requirements of The PCI R2 section is complete additional controls and or requirements The PCI R3 section is complete Click Here i9 The PCI RA section is complete UMS The PCI R5 section is complete PCI_R6 section is complete The PCI R7 section is complete The PCI cnmnlete Figure 4 2 Suggested Answers Notification Clicking the link will provide additional information about affected questions as shown in Figure 4 3 Question Description Answer IA 3 DEVICE IDENTIFICATION AND AUTHENTICATION The computer system identifies and verifies dev
20. omponents Remove all unnecessary functionality such as Scripts drivers features subsystems file systems and unnecessary web servers R3 31 Keep cardholder data storage to a minimum Keep cardholder data storage to a minimum Develop a data retention and disposal policy Limit storage amount and retention time to that which is required business legal and or regulatory purposes as documented in the data retention policy R3 321 Donat store sensitive authentication data Gap Report Risk Reporter for PCI Appendix B Deficiency Report Key Label Threat Source Vulnerability RelyDmae TemefOpemims O E 07 ms _ Human ror 07 paatai MT Maki Proved Inplemention Mais imema Conos 07 Malicious Outsider Procedure Implementation Malicious Outsider Internal Controls Risk Reporter for PCI Appendix Glossary Meaning Action Plan A plan to prioritize and upgrade system safeguards to maintain or increase compliance Administrative a M An account with administrative permissions to one or more systems on a network Account Administrators may create these accounts specifically for the purpose of conducting ThreatGuard Scans More complex networks may require the cre
21. on or click the Review All Answers line above the Finalize button As shown in Figure 3 12 this will bring up a summary of your answers Quick Review of Answers Last XCCDF Upload 2008 11 13 Back to Review Assessment ID 11 11 08 1226420367 Category PCI R1 Question Summary Answer PCI R1 1 1 1 Establish firewall configuration standards that include the following A formal process for testing all external network connections and changes to the firewall configuration 1_ 1 1 1 2 Establish firewall configuration standards that include the following No A current network diagram with all connections to cardholder data including any wireless networks PCI R1 1 1 3 Establish firewall configuration standards that include the following Yes Requirements for a firewall at each Internet connection and between any demilitarized zone DMZ and the internal network zone PCI R1 1 1 4 Establish firewall configuration standards that include the following Yes Description of groups roles and responsibilities for logical management of network components PCI R1 1 1 5 Establish firewall configuration standards that include the following Documented list of services and ports necessary for business PCI R1 1 1 6 Establish firewall confiquration standards that include the followina Figure 3 12 Quick Review 3 7 The Results RR reports are designed to help organizations efficiently prioritize and or
22. ountability Act HIPAA the Federal Information Security Management Act FISMA and other state federal and international information security standards This RISK ASSESSMENT PCI version is designed around the protocols created by the PCI DSS and the United States National Institute of Standards and Technology NIST The PCI DSS mandates minimum standards of security from any organization that handles payment cards while the NIST procedures are rapidly becoming a de facto international standard This widespread adoption is due to the security automation efforts of the US Department of Homeland Security under the Security Content Automation Program SCAP Automation of information security processes is essential for both adequate security and regulatory compliance There are over 30 000 known vulnerabilities listed in the National Vulnerability Database N VD with more than 10 new vulnerabilities added daily It is no longer practical to rely on general knowledge and manual checklists to secure an information system 11 Typographical Conventions This document uses the following typographical conventions Command and option names appear in bold type in definitions and examples The names of directories files screens and menus appear in quotes e User inputted data appears bolded inside angle brackets Website addresses appear underlined e Hyperlinks appear underlined and in blue font e Notational usage inform
23. ow Report History will become active This feature Is most useful after you have generated multiple reports 1 allows you to determine what Input changed between assessments and thus which policies and procedures scan or upload changes affected the risk score Figure 4 4 shows increased risk to E Description Use the legend at the left to identify the report that you would like to analyze and reference it on the main table The leftm represent the scures of the indiviual reports Click on the GO button near the top of the column to drill down to a specific here Assessment ID ID A B C D E F G H 03 29 08 1206802166 Date 06 26 08 03 30 08 1206905107 E1 25 25 04 01 08 1207066423 4 06 24 08 1214328275 5 a 2 J J m mJ JJ 2 B y gt 5 mim 4 V sp n A 8 5 Un sp n A 2 mo mJ m mo J gt a 2 m N A B C B gt B B Un _ A y gt A Figure 4 4 Multi Report Overview Click GO to view the data submitted for each assessment As shown in Figure 4 5 this screen gives a Summary of the data submitted for each report PC R1 12 Yes R1 13 Yes R1 14 Yes PCI R1 15 Yes PCI R1 111 Yes PCI R1 112 Yes PCI R1 113 Yes PCI R1 114 Yes PCI R1 115 Yes PCI R1 116 PCI R1 117 Yes PCI R1 118 PCI R1 119 Yes
24. ption Answer AC 1 ACCESS CONTROL POLICY AND PROCEDURES The group writes reviews and updates an information security policy Someone is tasked to do this job This person should have security experience The group gives the policy to all staff All staff understands the security policy The purpose of the security policy is to protect customer information The policy includes details about how the group protects customer information Computers that process customer information must be secured The security system defenses are outlined in the policy The security policy outlines the types of information that are controlled The policy tells how information is controlled and who is allowed get information The policy assigns security duties to employees AC 1 The person who writes the security policy will also train employees Training includes the importance of protecting customer Yes information There will be details about who will protect the information Training will include details about how to protect information The security policy and procedures agree with all regulations for group or companies The security policy is part of the group Official Language The organization develops disseminates and periodically reviews updates i a formal documented access control policy that addresses purpose scope roles responsibilities and compliance and ii formal documented procedures to facilitate the implementation of the access
25. questions contained in the NIST risk assessment 800 39 and minimum safeguards 800 53 protocols Answer each question by selecting the most appropriate choice from the pull down menu The options are No the safeguard 15 not in place or functioning Yes the safeguard is in place and functioning or NA the safeguard does not apply at this location The default answer for each question is No the most conservative answer Question Description Answer PCI R1 111 PCI_R1 1 1 1 Establish firewall configuration standards that include the following w T A formal process for approving and testing all external network connections and changes to the firewall configuration PCI R1 112 PCI_R1 1 1 2 Establish firewall configuration standards that include the following No T A current network diagram with all connections to cardholder data including any wireless networks PCI R1 1 1 3 Establish firewall configuration standards that include the following PCI R1 13 Yes Requirements for a firewall at each Internet connection and between any demilitarized zone DMZ and the internal network zone Figure 3 7 Sample PCI Question Risk Reporter for PCI The language of the Compensating Controls is a plain English paraphrase of the original wording To view the original wording for any NIST safeguard click Official Language at the end of the paraphrase The paraphrase and official language for question AC 1 is shown below Question Descri
26. rmation from all data entry sections 1s included 4 PCI Gap Report a detailed list of missing or underperforming safeguards which have negatively affected the most recent risk assessment Holding the cursor over each safeguard gives more information about the threat source and affected vulnerability These reports enable user to create an Action Plan for the organization Low Medium and High likelihoods of adverse events are scored at 0 1 0 5 or 1 0 respectively In the same manner Low Medium and High impacts are scored at 10 50 and 100 respectively A risk score from 1 low to 100 high 16 calculated by multiplying the likelihood score and the impact score According to NIST standards risks scores gt 50 require immediate action risks scores from 10 to 50 need to be scheduled for management and risks lt 10 can be monitored without further action Risk Reporter for PCI 4 Applying Risk Assessment Compliance is a continuously moving target conducting a risk assessment is only part of the risk management process Regulated firms are required to 1 Assess risks 2 Install Safeguards 3 Test Safeguard effectiveness 4 Re assess risks Data from a network scan 800 30 section 3 1 IPS data Antivirus data Section 3 3 and policy data are input into the Risk Engine This creates the Results Documentation Section 3 9 and recommendations for change The changes in Controls are implemented and the changes added to
27. ssessment brings up the Review screen shown in Figure 3 11 click any section to load that data entry page This selection is also a secure transmission and may take up to a minute to load 3 4 UTM Data This data section is different from the others As shown in Figure 3 9 it requires numerical UTM IPS and AV data Risk Reporter for PCI System and Information Integrity Organizations are required to use intrusion detection and anti virus protection to ensure protection of the system training and experience are important in avoiding risks of data loss due to human error Compensating Controls Defined Please list the type of Firewall IPS UTM used FortiGate 50A Please List number of days monitored by device in this dataset 30 Is automatic protection enabled for IPS Yes Please list total number of emergencies during this period 5 Please list total number of alerts during this period 20 Please list total number of warnings during this period 29 Is automatic protection enabled for viruses Yes v Please list total number of virus infections detected during this period 3 Please list the number of people with access to protected data 15 Please list the number of people with access and less than one 1 year at this location 2 Please list the number of login failures during this period 14 Save and Review Figure 3 9 UTM Data Section 3 5 Upload This data section requires you to upload the organization 5 mo
28. st recent SCAP scan XCCDF Upload First Previous Next Last Upload XCCDF Scan s Browse Add Another File Save and Continue Figure 3 10 Upload Section 3 6 Data Review The final section 15 the Review Screen Once all of the sections have been updated the Finalize button becomes active as shown in Figure 3 11 and a Baseline Report can be generated Risk Reporter for PCI Assessment ID 11 11 08 1226420367 Last XCCDF Upload 2008 11 13 Pa Requirements Status The updates suggest you may now be 1 section is complete The R2 section is complete The PCI_R3 section is complete Review All Answers The PCI_R4 section is complete Finalize The 5 section is complete The PCI_R6 section is complete The PCI_R7 section is complete The PCI_R8 section is complete The 9 section is complete The PCI_R10 section is complete The PCI_R11 section is complete The PCI_R12 section is not complete Click Here to view these items Compensating Controls Status The AC section is complete The AT section is complete The AU section is complete The CA section is complete The CM section is complete The CP section is complete Figure 3 11 Review Section There are several ways to review your answers before submitting an assessment Click a blue section link or use the pull down menu to navigate back to the desired control secti
29. t Password New Password Passwords require a minimum of 8 characters New Password Retype New Password E Mail Address New E Mail Retype New E mail Username New Username Retype New Username Submit Figure 3 2 Account Settings After changing the account verification Information you will need to login again using the new information The next step in the account creation process is industry selection shown in Figure 3 3 This information will indicate the typical regulatory scheme to be considered in the assessment While the overall risk assessment process is similar for a variety of regulations there are differences in the details Commercial Hospitality Retail Travel Other Commercial Financial Bank S amp L Credit Union Mortgage Company Vehicle Dealer Other Financial Other Government Insurance Medical Other Select Industry Figure 3 3 Industry Selection After selecting your industry you must select any additional regulations governing your organization s risk assessment verify that PCI DSS 15 selected Risk Reporter for PCI The typical regulation set governing your indus FISMA GLBA HIPAA NAIC PCI DSS Other Figure 3 4 Regulation Selection After selecting the regulatory environment you will see the Menu Figure 3 5 Wel Start New Baseline Assessment Main Menu Find and Complete Assessments Account Settings
30. ted July 09 2008 www acr2solutions com Vulnerability Likelihood Wind Fo Wer Hin hice colliion Human error Human error Human error Human error Human error Human error Human error Human Malicious insider Malicious insider Malicious imeider Malicious insider Malicious 1n21der Malicious nsidet Malicious Malicious 1nsider Malicious outside Malicious o qu ide Malicious Malicious r Malicious i ids Malicious a mE Malicious Malicious o Risk Reporter for PCI Roof damage M 35 Smoke damage damage to building Facility damaze Data acquisition Data storage Data etmeval M Data modification M M Data transmission M M System design M H m Procedure implementation M 35 Internal M M 25 Data acquisition M M Data storage M M 25 Data retr eval M J M 25 Data modification M M 25 Data transmission M M System design M H 5 __ Procedure implementation M M Internal controls M J M 23 acquisition _ 98 b 3 Data storage 3 __ Data retrieval Lb 5 Data modification M L 5 Data uma E 35 System design M M 3 42 Procedure implementation Internal controls Baseline Report Automated Update Report Risk Assessment Number 05 14
31. unit Clickable text or graphics that direct the user to another document typically a website or to another place within the same document Internal Network The client s network Intrusion Detection Software or hardware that detects attacks on a computer or network but is incapable of System IDS stopping data damage or retrieval Hyperlink link Risk Reporter for PCI Intrusion Software or hardware that is capable of real time prevention of an attack on a computer Prevention System IPS or network Isolated Network Internal ACR 2 network Magnus Navigator The client application that is used to configure and manage the Secutor Magnus server The individual responsible for installing the system This individual manages the local area communications network within an organization and traditionally is responsible for the configuration maintenance day to day operations and installation of infrastructure components Network Administrator Network Address The process of passing network traffic through a router that re writes the source and or Translation destination IP addresses The likelihood that a vulnerability will be exploited modified by the impact of the exploitation Risk Scores may change due to changes in the safeguards an organization uses or because of safeguard performance A computer that is configured to route and forward information Software as a A sales model whereby access to the soft
32. ware application is hosted by the seller and the Service SaaS user is provided access via the Internet Risk Score Change Status Report A compilation of the current status of the safeguards for the information system Several aspects of security compliance are covered in each question If a majority of aspects are in place the group is considered to be in substantial compliance and may answer Yes to the question Substantial Compliance System Logging The transmittal of event messages and alerts across an IP network Messages are sent Syslog by the operating system or application to report the current status of a process UTM is used to describe network firewalls that have many features in one box including e mail spam filtering anti virus capability an intrusion detection or prevention system IDS or IPS and World Wide Web content filtering along with the traditional activities of a firewall Unified Threat Management UTM Any report made after the Baseline report Determines the degree of increase or decrease Update Report in compliance compared to the baseline Update risk assessments are required after system changes Vulnerability Areas where security is weak and is at risk of being exploited 20081106 Risk Reporter for PCI
Download Pdf Manuals
Related Search