Case Study: PCI Risk A good example of a tough risk decision can be found when l

Question

Case Study: PCI Risk

A good example of a tough risk decision can be found when looking at the Payment Card

Industry (PCI) requirements for protecting credit card and personal information. Although not technically a regulation, these standards come close to it for credit card processors and companies in the retail industry. Many of the large merchants have implemented full disk encryption or database level encryption to protect that data on back-end servers based on the PCI Data Security Standards (DSS) published by the major credit card companies:

PCI-DSS: Use of strong cryptography like disk encryption to protect sensitive data [2].

We already alluded to the idea that database encryption may be a suspect control in

Chapter 1. Although encryption may be a good solution for mobile devices, it fails to mitigate the real threats of an application-level attack on databases storing card numbers in data centers. Let’s look at why this standard may not make sense when applied to database servers.

Think about an attack on an application that stores credit card numbers in a database.

In order to function, the application needs some way to decrypt the data regardless of whether it is stored on an encrypted drive or whether the database encrypts at a field level.

This means that the best vector for an attacker is to exploit weaknesses in the application and use it to access card numbers in the database. In this case, all you have protected against is abuse of the data by the database administrators if you encrypt at a field level, or physical theft of the server itself if you encrypt at the drive level. If the database server is in a retail store, maybe there is a real threat of physical theft, but think about databases in secure data centers. Is this control really making that sensitive data more secure? The only viable way to defeat these application attacks is to hash the sensitive data instead of encrypting it, but this only works for certain data types. It works well for an identifier or authentication credential because you can compare it in its hashed form, but for other sensitive data, you will need to present it back to the application in its raw format, which eliminates hashing as an option. Unless you are worried about an attacker physically running off with the drives in your servers, then full disk encryption isn’t reducing your risk at all. If an attacker doesn’t target the application as their way in but rather goes after a vulnerability on the database server directly, then the encryption is even more useless. Chances are if they can compromise the server, they will also get access to the unencrypted data fairly easily. Without a formal risk assessment and analysis methodology, many organizations will implement the controls they need to in order to be “compliant,” but really not reduce their risk exposure at all.

Q1: Why formal Risk Assessment is so important for the above scenario?

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

Explanation / Answer

A risk assessment is an examination of different areas of the workplace that could cause illness or injury to your employees. By conducting a risk assessment you can see whether or not you have taken sufficient measures to protect your workers against work place hazards.
A risk assessment must be “suitable and sufficient” and conducted by a “competent person”, this could be conducted by yourself if you work in a smaller organisation and are confident you meet the above criteria. You are legally required to assess risks in your workplace and implement plans to control the risks. You are not expected to eliminate all risks but you are expected to protect anybody in your workplace as far as is ‘reasonably practice’.

Formal risk assessment is the process of systematic review of evidence that define or estimate a risk in the population. The purpose is to guide risk management (e.g. preventive and control measures).

Problem formulation

The scope of the assessment is the starting point. This could be the risk of introduction of a disease agent, or the risk of spread of a disease. It could cover threats to one sector (health) or many (e.g. agriculture, food, security). Once the scope is defined, the problem is formulated, with related objectives of the assessment (SMART). This will also clarify what sectors of society are affected by the problem.

Constituting a Formal Risk assessment group

Many hazards that are assessed are cross cutting through different sectors and disciplines in health. Therefore the team needs to reflect this multidisciplinary and multisectoral aspect. The group should be large enough to cover all areas, include representatives from health and other relevant sectors. Additional experts will be contacted to provide expert input.

Defining the impact

The scope of the risk assessment defines also the scope of the impact to describe: only health, or also other areas such as economics, travel, agriculture, security etc. The impact depends on various hazard factors.

Modeling the risks

Scenario tree modeling describes the chain of events that will lead to possible risks. This requires to describe a tree of events (each event step will be a relevant condition for the final risk). Then for each of these steps, the probability is assigned. Finally a sensitivity analysis is performed.

Mapping the risks

It is usually relevant for risk managers to have a visual representation of risks according to geographical region of a country (map). This will help to set priorities for risk reduction strategies. Risk maps can also aggregate information from different factors that are considered predictors of probability of an event.

Sources of data

Probability and impact need to be as much as possible fact and evidence based. Surveillance data (human, animal, environmental) are useful, as are specific surveys, published research. If information is missing from those sources, then expert opinion can be recruited to complement the required information.

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.