PCI DSS V4 empowers merchants using customised Approach for control assessment instead of demonstrating compliance under the Defined Approach. This presentation explains how to apply the NIST endorsed Open Group FAIR cyber risk quantification framework to demonstrate compliance of a Customized Approach meeting the objective of the corresponding controls supported by Controls Matrix documentation.
Under the draft version of PCI DSS V4, the new Customised Approach will help merchants and other organisations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance. This presentation walks through a high-level step-by-step guideline in applying the NIST endorsed Open Group FAIR cyber risk quantification framework, expressing cyber risk in dollar values, to communicate these customised control designs to the business stakeholders in order to secure their support and funding approval.
The three key takeaways are:
- Communicates cyber risk in dollar value to explain the prioritisation decisions
- Contextualise prioritisation decisions against organization mission and risk appetite
- Supports the prioritisation decision process using vigorous quantification calculations
Denny Wan is a thought leader in applying the NIST endorsed Open Group FAIR cyber risk quantification methodology to prioritise cyber risk management based on the organisation's mission and risk appetite. He is a certified ISO 27001 Lead Auditor and PCI QSA. with deep expertise in expressing cyber risk using business language by quantifying the potential financial loss. He is a community builder who founded the Sydney Chapter of the FAIR Institute. He is a frequent public speaker recently presented in FAIRCON 2020.