eqaa 11 th session jamil kalat-malho jong ho lee
TRANSCRIPT
![Page 1: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/1.jpg)
EQAA 11th SessionJamil Kalat-Malho
Jong Ho Lee
![Page 2: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/2.jpg)
• Risk Management (NIST SP 800-30)• Risk Assessment
• Risk Mitigation
• Review and Evaluation
![Page 3: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/3.jpg)
• Risk Management is preventive measure.
• It is a continues process to manage an exposure before a threat could take advantage of a vulnerability.
• The goal of this is to reduce the residual risk to an acceptable level by management.
![Page 4: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/4.jpg)
• Risk is likelihood that some unwanted event could occur.
• The probability that a particular threat could cause damage to corporate assets by exploitation any know vulnerabilities.
![Page 5: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/5.jpg)
• What is Risk assessment?• Risk assessment is a process to determine the
potential threats and vulnerability.
• Step 1 System Characterization• Step 2 Threat Identification• Step 3 Vulnerability Identification• Step 4 Control Analysis• Step 5 Likelihood Determination• Step 6 Impact Analysis• Step 7 Risk Determination• Step 8 Control Recommendations• Step 9 Results Documentation
![Page 6: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/6.jpg)
• Step 1 System Characterization• Information gathering technique• Questionnaire
• On-site Interviews
• Document Review
• Step 2 Threat Identification • Source analysis
• Problem analysis
• Step 3 Vulnerability Identification• Threat/Vulnerability pairing.
![Page 7: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/7.jpg)
• Step 4 Control Analysis• Technical and non-technical
• Preventive Control
• Detective Control
• Step 5 Likelihood Determination
• Step 6 Impact Analysis• Qualitative vs. Quantitative
![Page 8: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/8.jpg)
• Step 7 Risk Determination• Risk scale = (Likelihood) x (Impact)
• Step 8 Control Recommendations
• Step 9 Results Documentation
![Page 9: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/9.jpg)
• What is Risk Mitigation• Risk mitigation involves prioritizing, evaluating
and implementing the appropriate risk-reducing controls recommended from the risk assessment process (From least-cost with most appropriate controls approach).
• Risk Avoidance (eliminate, withdraw from or not become involved)• Risk Reduction (optimize - mitigate)• Risk Sharing (transfer – outsource or
insure)• Risk Retention (accept and budget)
![Page 10: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/10.jpg)
• Risk assessment result and mitigation plans should be updated or reviewed periodically.
• Evaluation of selected controls.
• Evaluation on possible risk level changes.
• Evaluation on incident response plan.
• Evaluation on business continuation plan.
• Evaluation on disaster recovery plan.
• Due care and due diligence.
![Page 11: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/11.jpg)
• Too many methodologies.
• Very time consuming and complex.
• Ongoing process against one time process.
![Page 12: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/12.jpg)
• Hot fixes/Patches
• Minor releases
• Major releases
![Page 13: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/13.jpg)
• A game console manufacturing company is planning to change its firmware from Firmware A to Firmware B. • System Characterization: • Physical: • Internal: Company servers and other
infrastructures, technicians, and etc. • External: Customer’s game console, and etc.
• Logical: • Internal: Platform A data, Functional
requirement, and etc.• External: Customer’s saved games, pictures,
other data and etc.
![Page 14: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/14.jpg)
Threat/Vulnerability
Likelihood (L)
Impact (Qualitative)
Impact (Quantitative) (I)
Risk Scale = (L) x (I)
Controls/Solutions
![Page 15: EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee](https://reader036.vdocuments.site/reader036/viewer/2022081420/56649e3b5503460f94b2df50/html5/thumbnails/15.jpg)
• “Risk Management Guide for Information Technology System.” National Institute of Standards and Technology, Special Publication 800-30
• http://en.wikipedia.org/wiki/Risk_management
• MISSM 533 lecture note on Risk management