The Basics of a Risk Assessment: Why Your Business Needs One

Learn how make a risk assessment framework for your business. 

George Mateaki, CISSP, SecurityMetrics
By: George Mateaki
How much do you know about conducting a risk assessment? If your answer is, “not a lot,” you’re not alone.

Risk management for businesses can take on many forms. Depending on the size and complexity of an organization, risk management will receive varying levels of resources, and in most cases, play a critical role. From a business perspective, risk management requires serious consideration from both a compliance and a due diligence perspective.
risk assessment

Many businesses have difficulty making and implementing formal risk assessments. Here are a few basic questions your business may have.

SEE ALSO: 5 Steps to Making a Risk Assessment

Why do a risk assessment? 

The PCI DSS requires you to perform a formal risk assessment at least annually. This formal risk assessment should have a well-documented report that ranks risks and tracks remediation items.
If you aren’t performing and documenting a formal risk assessment, you’re not PCI compliant.
Risk management frameworks also give you a methodical approach to documenting and addressing the most important risks that face your organization. Once these are identified, they’re then ranked and appropriate resources allocated to mitigate those risks.

Remember, don’t do the process just to meet a PCI DSS requirement; perform this task as if your business depends on it because that’s the type of attention it requires. What would put you out of business? What would cause the most damage to your businesses reputation? These are the questions you need to ask and address.

This is definitely not an exercise to Google, grab a sample of the Internet, modify it to look legitimate, and call the PCI DSS item completed . . .

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

How is risk defined? 

Risk is defined and quantified by using the formula of impact multiplied by probability. Taking the example of a fire destroying your warehouse; the probability is calculated by getting the number of warehouses destroyed by fires in your particular industry for a given period (e.g. ten years). That is multiplied by the value of your warehouse if it were destroyed by fire. The value is determined by what insurance would not cover and the costs of getting things back to normal. Assessing a monetary value with probability will help in ranking the various risks.
Put simply, risks are what harm business, financially and security-wise. You’ll need to prioritize and address which risks will cause the most damage to your business.

What types of risk management standards should I use?

risk managementThe standard of risk management to be used will depend on your business’s unique environment.

The PCI Security Standards council (2012) provides a good starting point in terms of typical industry-accepted risk management frameworks. Their guidance lists ISO27005 (ISO is not an acronym and means equal in Greek), NIST (national institute of standards and technology) 800-30, and OCTAVE (operational critical threat asset and vulnerability evaluation) (2012).

The ISO27005 (ISO, n.d.) is part of the ISO 27K series and fully supports that basic definition of the 27001 information security standard. Most CISSP (certified information system security professional) referred to it affectionately as the “crispy” certificate (what you feel like after the exam), should be able to tell you that the 27001 Information Security standard requires data classification. This is a big part of quantifying what you have and determining value as part of the risk ranking process. You need to understand what you have before you can determine risk based on probability and impact.

The NIST 800-30 (NIST, 2012) is another industry standard based on federal requirements. NIST (2012) describes risk management as a way for organizations to “identify, estimate, and prioritize risk,” which leads to supporting either the mission or the business.

OCTAVE, a product of the Software Engineering Institute of  CMU (Carnegie Mellon University), also provides a highly regarded approach to risk management. OCTAVE methods are self-described as “self-directed, flexible, and evolved,” and use cross-organizational teams (across the various business units) that work together with IT to address information security risks.

The formal risk assessment brings value in getting the big picture in terms of the business and what resource allocation should occur based on the risk ranking. Viewing the formal annual risk assessment requirement as a checklist item is a bad approach to information security.

Remember, you can’t protect your business from risks you aren’t aware of.

Not sure if you’re PCI compliant? Let’s see where your business is lacking. 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

SecurityMetrics Presents Seminar on Compliance Myths in Birmingham

Learn about the top 10 compliance myths and what you can do to protect data 

If you don’t know much about compliance, you’re not alone. Many businesses have a lot of
misconceptions when it comes to HIPAA and PCI compliance.

This is why SecurityMetrics, Netmail, and Sparkhound are hosting a seminar on the Top 10 Compliance Myths and Misunderstandings on October 13, 2016 from 9:00 AM to 12:00 PM at The Club in Birmingham, Alabama.

John Bartholomew, The Vice President of Sales at SecurityMetrics, and Frederic Bourget, the Chief Technology Officer at Netmail, will be presenting the top 10 HIPAA and PCI myths and misunderstandings that healthcare organizations and financial institutions face. They will also be talking about the risks of not protecting PHI and card data, and tips on how to secure your data.

Come talk about data security and compliance, network with peers, listen to experts, and enjoy a free gourmet breakfast.

Please join us in October!

Date: Thursday, Oct 13, 2016
Time: 9:00 AM – 12:00 PM
Location: The Club, 1 Robert S. Smith Dr., Birmingham, AL 35209

Register for the Top 10 Compliance Myths and Misunderstandings Seminar. 

PCI Compliant Firewalls: 5 Things You’re Doing Wrong

Here are some mistakes your business might be making with firewalls. 

firewall maintenance
Read the white paper, How to Implement and Maintain PCI Compliant Firewalls.

When’s the last time you thought about your firewall? If it’s been a while, you may have a problem.

While PCI 3.2 has minimal changes to firewalls themselves, it’s important that businesses are compliant and up to date with the PCI DSS’s requirements for firewalls.

Unfortunately, many businesses’ firewalls aren’t PCI compliant.
Here are 5 things businesses are doing wrong in getting their firewalls PCI compliant.

1. Lack of proper configuration

Many businesses think firewalls are plug-and-play technology and don’t think about them once they’re installed.  However, most firewalls need to be configured to your unique business environment.

If you don’t think this is important, think again. In the breached merchants SecurityMetrics has investigated, over 76% of organizations didn’t have their firewalls correctly configured. It’s through this vulnerability that a hacker was able to gain access to and steal sensitive data.

You need to establish and maintain rules as to what can go in and out of your network with your firewall. If you don’t, it can negate the entire effect of your firewall on your network.

SEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall

2. Not using network segmentation 

PCI compliant firewalls
You can use firewalls to separate your card environment separate from the rest of your network. This helps reduce your PCI scope and simplifies your security efforts.

It’s true that segmenting your network is technically not required by PCI, but it really does help your business secure your network better and more easily. If you want to get PCI compliant more efficiently, segmentation is a good method.

Segmenting your network can be extremely technical, so you may want to get a third party to help you set it up properly.

SEE ALSO: How Does Network Segmentation Affect PCI Scope?

3. Lack of log management

Firewall logs will do your business no good unless you have someone (or a monitoring software) that’s actually keeping track of those logs and noting when something seems off.

Think of log management as a guard on a watch tower. The security does you know good unless you have someone who can see a potential problem and tells you, “Hey, something is going on!”

It’s best to get a File Monitoring Software. It will keep track of your firewall logs and notify you if something suspicious happens, like someone trying to log into your network over 300 times at 2 in the morning. You’ll still need someone who is keep track of these notifications so that the software isn’t just pinging in an empty room.

Remember, you can’t stop a breach if you don’t know if it’s happening.

4. No documentation

PCI requirement 1 says you should document all firewall policies and procedures. This is often a requirement that many businesses may overlook.

Firewall documentation will help your team understand what’s been done, what needs to be done, and where the problems are in your environment. It basically helps keep your security efforts more organized, and makes things easier for future updates and changes.

Some things to consider documenting include:
  • Description of groups, roles, and responsibilities: make sure those involved are aware of their responsibilities. 
  • Business justification for allowed services, protocols and ports: If you need any ports open for your business, you’ll need to document why you need them. 
  • Network and cardholder data flow diagrams: You can’t protect your data if you don’t know where it goes. Having these diagrams helps you see where your data is received, stored, and transmitted and where to implement your firewalls. 

5. No reviewing and testing

In a recent survey we did of over 350 individuals responsible for compliance decisions, 32% of respondents didn’t know how often the firewall rules were reviewed in their businesses. No matter the size of your environment, things change over time. Firewall rules will need to be rewritten or tweaked.

The PCI DSS requires organizations to review firewall and router rule sets at least every six months. This helps you ensure there are no security weaknesses and gives you the chance to update your firewall strategy as needed.

You also need to test the effectiveness of your firewall rules, such as scanning for rogue wireless access points. Two good ways to test your network are through vulnerability scans and penetration tests.
  • Vulnerability scans are a great weekly, monthly, or quarterly insight into your network. It scans for possible vulnerabilities in your network. 
  • Penetration tests are a more thorough way to deeply examine network security. In these tests, white hat hackers will try to find possible ways into your network. 
SEE ALSO: Pentesting vs Vulnerability Scanning: What’s the Difference?

Ask a QSA!

Firewalls can be rather technical, and if you’re not sure what you need to do, you’ll want to talk to an expert. Qualified Security Assessors (QSAs) can help you figure what types of firewalls you need, what your scope includes, and how you should handle log management.

Whatever your environment needs, make sure you’re properly setting up and maintaining your firewalls.

Your firewall is only as effective as you make it.

Need help with firewalls? Check out our managed firewall service!

SecurityMetrics Guide to PCI DSS Compliance
Updating to PCI 3.2 SAQs: The Changes You Should Know

PCI DSS 3.2 has added and removed new requirements to the SAQs. 

Read our white paper, How to Become Compliant with PCI DSS 3.2

3.2 SAQsIf you’re new to the PCI DSS, you might not know much about Self-Assessment Questionnaires (SAQs). SAQs are used to help businesses validate and prove their compliance with the PCI DSS.

As you may know, PCI DSS 3.2 was released in April 28, 2016. On October 31, 2016, PCI DSS 3.1 will retire and all assessments need to use the PCI DSS version 3.2 SAQs.

SEE ALSO: PCI DSS 3.2 Changes: What Your Business Needs to Know

New SAQ Requirements 

So what has changed with the SAQs? While there aren’t any new SAQ types or changes to SAQ descriptions, a fair amount of requirements have been added or removed.
Here’s an overview list of requirement changes in each PCI DSS SAQ:
    PCI DSS 3.2 SAQ
  • SAQ A added 8 more requirements (multi-factor authentication, improved user access controls, etc.) 
  • SAQ A-EP added 52 more requirements (firewall configuring and documentation rules, coding procedures, intrusion detection and prevention systems, etc.) 
  • SAQ B remained the same 
  • SAQ B-IP added one more requirement (multi-factor authentication) 
  • SAQ C-VT added 6 more requirements (multi-factor authentication, improved user access controls, etc.) 
  • SAQ C added 21 more requirements (multi-factor authentication, user access controls, etc.)
  • SAQ D added 15 more requirements (cryptographic architecture documentation, semi-annual penetration tests on segmentation, etc.) 
  • SAQ P2PE removed 2 requirements (masking and emailing unencrypted PAN data) 
These new changes reflect the changes made with 3.2, including multi-factor authentication, pen testing requirements, and clarifying masking and encryption.

What does each SAQ cover? 

Each SAQ handles a different aspect of a business’s payment process. Here’s a quick chart on each SAQ and what it covers.

# of questions
Vulnerability scan
Penetration testing
E-commerce website (third party)
  •        Fully outsourced card acceptance and processing
  •     Merchant website provides iframe or URL that redirects a consumer to a third party payment processor
  •     Merchant can’t impact the security of the payment transaction
E-commerce website (direct post)
  •        Merchant website accepts payment using direct post or transparent redirect service

Processes cards via:
  •      Analog phone, fax, or stand-alone terminal
  •      Cellular phone (voice), or stand-alone terminal
  •      Knuckle buster/imprint machine

Processes cards via:
  •      Internet-based stand-alone terminal isolated from other devices on the network
Payment application systems connected to the Internet:
  •     Virtual terminal (Not C-VT eligible)
  •     IP terminal (Not B-IP eligible)
  •     Mobile device with a card processing application or swipe device
  •     View or handle cardholder data via the internet
  •     POS with tokenization
E-commerce website
  •     Merchant website accepts payment and doesn’t use a direct post or transparent redirect service
Electronic Storage of card data
  •     POS system doesn’t use tokenization or P2PE
  •     Merchant stores card data electronically
Point-to-point encryption
  •     Validated PCI P2PE hardware payment terminal solution only
  •     Merchant specifies they qualify for P2PE questionnaire

How many SAQs you’ll need to fill out depends on your business environment. For example, companies that don’t have a website accepting payment using a direct post or transparent redirect service don’t have to fill out SAQ A-EP.

SEE ALSO: PCI Standards: Which PCI SAQ is Right for My Business?

A good way to reduce the amount of SAQs you need to is reducing your PCI scope. For example, if you use tokenization and don’t store any card data, you don’t have to fill out SAQ D, which has over 329 questions.

Ask for help!

Getting your SAQs straight can be tricky. An Approved Scan Vendor (ASV) or Qualified Security Assessor (QSA) helps you determine which ones you need to fill out, what kind of business environment you have, and some best practices to implement requirements. QSAs have a deep knowledge of PCI compliance and are the best solution to help you navigate the standard.

To learn more about 3.2, read our white paper, How to Become Compliant with PCI DSS 3.2

SecurityMetrics Guide to PCI DSS Compliance
Employee Training in Data Security: What You Should Do

Don’t let employee training fall to the side of data security. 

By: David Page
When it comes to data security, many businesses tend to think of things like locks, firewalls, and the latest technology to protect their sensitive data. But they often overlook their biggest vulnerability: employees.

Now, I’m not saying employees are bad; they’re just human, and humans make mistakes. Unfortunately, many hackers will take advantage of human error to gain access to your data.  You need to spend just as much time and money on your employees as you do on secure technology.
Many data breaches happen as a result of a well-meaning employee doing something to make your business vulnerable, whether it’s clicking on a phishing email that downloads malware, giving out sensitive information to someone they shouldn’t, or not being diligent in protecting their passwords.  Most of these cases aren’t even intentional or malicious.

Why is training important?

A question a business may have is why should employee training matter so much? After all, a business just has to have a firewall and security policies in place and they should be good, right?


Your security policies are useless if your employees aren’t aware of them. For example, you may have a policy on what to do if you suspect a data breach. But if your employees aren’t trained in what they should do in that situation, they will likely make an error or waste time in reporting it to the right people, potentially causing your business more damage.

Another problem is social engineering, which is rapidly becoming a big threat against businesses of all types and sizes. The problem with social engineering is that it targets your employees specifically.  If your employees aren’t trained to recognize social engineering tactics, you could be vulnerable to a data breach.

Finally, you and your employees should care about data security and maintaining compliance with PCI, HIPAA, and other industry data security standards. You need to instill a sense of urgency in your employees when it comes to data security. Sometimes they’re all that stands between your business and a damaging data breach.

Who should be trained in data security?

It’s important to train all of your employees on basic data security best-practices.
It’s critical that employees with access to sensitive data know how to protect it.
Things like email phishing scams and social engineering can affect anyone in your business from the top executive to the janitor. Make sure all of your employees are briefed on policies involving basic physical and data security.

What should employees be trained on?

It’s good to make a list of policies employees should be made aware of and be trained on. Some policies may include:
Basically, if you have a policy about security that involves your employees, your employees should know about it.

Tips for training employees

Holding yearly meetings doesn’t really do it anymore—your employees need a constant reminder to prioritize data security in their daily activities. They will also absorb more information if they receive training more often. Here are some tips to get your employees ready.
  • Set monthly training meetings: focus each month on a different aspect of data security, such as passwords, social engineering, email phishing, etc
  • Give frequent reminders: these could be sent out in an email or newsletter that includes tips for employees
  • Train employees on new policies ASAP: also, newly hired employees should be trained on policies as quickly as possible
  • Make training materials easily available: Intranet sites are a great way to provide access to training and policy information
  • Create incentives: reward your employees for being proactive

Watch out for your employees

It’s important to make sure your employees understand how critical their role is in keeping your business’s data secure. Training employees should be a top priority in your overall data security strategy. After all, your employees are the ones standing between your data and the bad guys. Shouldn’t you make sure they know what to do?

Need help finding resources for employee training? Talk to us!

David Page is a Qualified Security Assessor and has been working at SecurityMetrics for 2 and a half years. He has over 18 years experience in network and system engineering, design, and security.