Presentation is loading. Please wait.

Presentation is loading. Please wait.

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

Published byFrank Waters Modified over 9 years ago

Similar presentations

Presentation on theme: "EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee"— Presentation transcript:

1 EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Risk Management EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee Name & EQAA 11th

2 Out Line Risk Management (NIST SP 800-30) Risk Assessment
Risk Mitigation Review and Evaluation

3 Risk Management Risk Management is preventive measure.
It is a continues process to manage an exposure before a threat could take advantage of a vulnerability. The goal of this is to reduce the residual risk to an acceptable level by management. Need to Edit this.

4 What is Risk? Risk is likelihood that some unwanted event could occur.
The probability that a particular threat could cause damage to corporate assets by exploitation any know vulnerabilities.

5 Risk Assessment (NIST SP 800-30)
What is Risk assessment? Risk assessment is a process to determine the potential threats and vulnerability. Step 1 System Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation Defined Risk Assessment and who is involve in this process.

6 Risk Assessment (Step 1 ~ 3)
Step 1 System Characterization Information gathering technique Questionnaire On-site Interviews Document Review Step 2 Threat Identification Source analysis Problem analysis Step 3 Vulnerability Identification Threat/Vulnerability pairing. Characterize in terms of Hardware, Software, System interface (internal and external connectivity), Data and information, Functional requirements, User of the system, Security policies, System architecture, Environmental. Note Physical and Logical.

7 Risk Assessment (Step 4 ~ 6)
Step 4 Control Analysis Technical and non-technical Preventive Control Detective Control Step 5 Likelihood Determination Step 6 Impact Analysis Qualitative vs. Quantitative Preventive Controls inhibits attempts to violate i.e. encryption and authentication Detective controls warn of violations or attempted violations i.e. intrusion detection methods, and checksums.

8 Risk Assessment (Step 4 ~ 6)
Step 7 Risk Determination Risk scale = (Likelihood) x (Impact) Step 8 Control Recommendations Step 9 Results Documentation

9 Risk Mitigation What is Risk Mitigation
Risk mitigation involves prioritizing, evaluating and implementing the appropriate risk-reducing controls recommended from the risk assessment process (From least-cost with most appropriate controls approach). Risk Avoidance (eliminate, withdraw from or not become involved) Risk Reduction (optimize - mitigate) Risk Sharing (transfer – outsource or insure) Risk Retention (accept and budget) Research and Acknowledgement

10 Review and Evaluation Risk assessment result and mitigation plans should be updated or reviewed periodically. Evaluation of selected controls. Evaluation on possible risk level changes. Evaluation on incident response plan. Evaluation on business continuation plan. Evaluation on disaster recovery plan. Due care and due diligence.

11 Problems with Risk management
Too many methodologies. Very time consuming and complex. Ongoing process against one time process.

12 Risk management in terms of QA Team
Hot fixes/Patches Minor releases Major releases

13 Risk Management Activity
A game console manufacturing company is planning to change its firmware from Firmware A to Firmware B. System Characterization: Physical: Internal: Company servers and other infrastructures, technicians, and etc. External: Customer’s game console, and etc. Logical: Internal: Platform A data, Functional requirement, and etc. External: Customer’s saved games, pictures, other data and etc.

14 Risk Management Activity (2)
Threat/Vulnerability Likelihood (L) Impact (Qualitative) Impact (Quantitative) (I) Risk Scale = (L) x (I) Controls/Solutions Threat Actions

15 Reference “Risk Management Guide for Information Technology System.” National Institute of Standards and Technology, Special Publication MISSM 533 lecture note on Risk management

Download ppt "EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee"

Similar presentations

Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Jump to first page NIST 800-30 Risk Management Guide for Information Technology Systems Reference:

Jump to first page NIST Risk Management Guide for Information Technology Systems Reference:
Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.

Project Management Gaafar 2007 / 1 This Presentation is uses information from PMBOK Guide 2000 Project Management Risk Management* Dr. Lotfi Gaafar.
Project Management.

Project Management.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Software project management (intro)

Software project management (intro)
Stephen S. Yau CSE465-591, Fall 2006 1 Risk Management.

Stephen S. Yau CSE , Fall Risk Management.
Project Based Risk Management Defusing a potential ticking time bomb

Project Based Risk Management Defusing a potential ticking time bomb
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Managing Project Risk.

Managing Project Risk.
Risk Analysis COEN 250.

Risk Analysis COEN 250.
Security Risk Management Paula Kiernan Ward Solutions.

Security Risk Management Paula Kiernan Ward Solutions.
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28
PMI Knowledge Areas Risk Management.

PMI Knowledge Areas Risk Management.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.

Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Chapter 11: Project Risk Management

Chapter 11: Project Risk Management

Similar presentations

Ads by Google