EQAA 11 th Session Jamil Kalat-Malho Jong Ho Lee
Dec 27, 2015
EQAA 11th SessionJamil Kalat-Malho
Jong Ho Lee
• Risk Management (NIST SP 800-30)• Risk Assessment
• Risk Mitigation
• Review and Evaluation
• Risk Management is preventive measure.
• It is a continues process to manage an exposure before a threat could take advantage of a vulnerability.
• The goal of this is to reduce the residual risk to an acceptable level by management.
• Risk is likelihood that some unwanted event could occur.
• The probability that a particular threat could cause damage to corporate assets by exploitation any know vulnerabilities.
• What is Risk assessment?• Risk assessment is a process to determine the
potential threats and vulnerability.
• Step 1 System Characterization• Step 2 Threat Identification• Step 3 Vulnerability Identification• Step 4 Control Analysis• Step 5 Likelihood Determination• Step 6 Impact Analysis• Step 7 Risk Determination• Step 8 Control Recommendations• Step 9 Results Documentation
• Step 1 System Characterization• Information gathering technique• Questionnaire
• On-site Interviews
• Document Review
• Step 2 Threat Identification • Source analysis
• Problem analysis
• Step 3 Vulnerability Identification• Threat/Vulnerability pairing.
• Step 4 Control Analysis• Technical and non-technical
• Preventive Control
• Detective Control
• Step 5 Likelihood Determination
• Step 6 Impact Analysis• Qualitative vs. Quantitative
• Step 7 Risk Determination• Risk scale = (Likelihood) x (Impact)
• Step 8 Control Recommendations
• Step 9 Results Documentation
• What is Risk Mitigation• Risk mitigation involves prioritizing, evaluating
and implementing the appropriate risk-reducing controls recommended from the risk assessment process (From least-cost with most appropriate controls approach).
• Risk Avoidance (eliminate, withdraw from or not become involved)• Risk Reduction (optimize - mitigate)• Risk Sharing (transfer – outsource or
insure)• Risk Retention (accept and budget)
• Risk assessment result and mitigation plans should be updated or reviewed periodically.
• Evaluation of selected controls.
• Evaluation on possible risk level changes.
• Evaluation on incident response plan.
• Evaluation on business continuation plan.
• Evaluation on disaster recovery plan.
• Due care and due diligence.
• Too many methodologies.
• Very time consuming and complex.
• Ongoing process against one time process.
• Hot fixes/Patches
• Minor releases
• Major releases
• A game console manufacturing company is planning to change its firmware from Firmware A to Firmware B. • System Characterization: • Physical: • Internal: Company servers and other
infrastructures, technicians, and etc. • External: Customer’s game console, and etc.
• Logical: • Internal: Platform A data, Functional
requirement, and etc.• External: Customer’s saved games, pictures,
other data and etc.
Threat/Vulnerability
Likelihood (L)
Impact (Qualitative)
Impact (Quantitative) (I)
Risk Scale = (L) x (I)
Controls/Solutions
• “Risk Management Guide for Information Technology System.” National Institute of Standards and Technology, Special Publication 800-30
• http://en.wikipedia.org/wiki/Risk_management
• MISSM 533 lecture note on Risk management