EQAA 11th SessionJamil Kalat-Malho

Jong Ho Lee

• Risk Management (NIST SP 800-30)• Risk Assessment

• Risk Mitigation

• Review and Evaluation

• Risk Management is preventive measure.

• It is a continues process to manage an exposure before a threat could take advantage of a vulnerability.

• The goal of this is to reduce the residual risk to an acceptable level by management.

• Risk is likelihood that some unwanted event could occur.

• The probability that a particular threat could cause damage to corporate assets by exploitation any know vulnerabilities.

• What is Risk assessment?• Risk assessment is a process to determine the

potential threats and vulnerability.

• Step 1 System Characterization• Step 2 Threat Identification• Step 3 Vulnerability Identification• Step 4 Control Analysis• Step 5 Likelihood Determination• Step 6 Impact Analysis• Step 7 Risk Determination• Step 8 Control Recommendations• Step 9 Results Documentation

• Step 1 System Characterization• Information gathering technique• Questionnaire

• On-site Interviews

• Document Review

• Step 2 Threat Identification • Source analysis

• Problem analysis

• Step 3 Vulnerability Identification• Threat/Vulnerability pairing.

• Step 4 Control Analysis• Technical and non-technical

• Preventive Control

• Detective Control

• Step 5 Likelihood Determination

• Step 6 Impact Analysis• Qualitative vs. Quantitative

• Step 7 Risk Determination• Risk scale = (Likelihood) x (Impact)

• Step 8 Control Recommendations

• Step 9 Results Documentation

• What is Risk Mitigation• Risk mitigation involves prioritizing, evaluating

and implementing the appropriate risk-reducing controls recommended from the risk assessment process (From least-cost with most appropriate controls approach).

• Risk Avoidance (eliminate, withdraw from or not become involved)• Risk Reduction (optimize - mitigate)• Risk Sharing (transfer – outsource or

insure)• Risk Retention (accept and budget)

• Risk assessment result and mitigation plans should be updated or reviewed periodically.

• Evaluation of selected controls.

• Evaluation on possible risk level changes.

• Evaluation on incident response plan.

• Evaluation on business continuation plan.

• Evaluation on disaster recovery plan.

• Due care and due diligence.

• Too many methodologies.

• Very time consuming and complex.

• Ongoing process against one time process.

• Hot fixes/Patches

• Minor releases

• Major releases

• A game console manufacturing company is planning to change its firmware from Firmware A to Firmware B. • System Characterization: • Physical: • Internal: Company servers and other

infrastructures, technicians, and etc. • External: Customer’s game console, and etc.

• Logical: • Internal: Platform A data, Functional

requirement, and etc.• External: Customer’s saved games, pictures,

other data and etc.

Threat/Vulnerability

Likelihood (L)

Impact (Qualitative)

Impact (Quantitative) (I)

Risk Scale = (L) x (I)

Controls/Solutions

• “Risk Management Guide for Information Technology System.” National Institute of Standards and Technology, Special Publication 800-30

• http://en.wikipedia.org/wiki/Risk_management

• MISSM 533 lecture note on Risk management