Presentation is loading. Please wait.

Presentation is loading. Please wait.

EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee

Similar presentations


Presentation on theme: "EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee"— Presentation transcript:

1 EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee
Risk Management EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee Name & EQAA 11th

2 Out Line Risk Management (NIST SP 800-30) Risk Assessment
Risk Mitigation Review and Evaluation

3 Risk Management Risk Management is preventive measure.
It is a continues process to manage an exposure before a threat could take advantage of a vulnerability. The goal of this is to reduce the residual risk to an acceptable level by management. Need to Edit this.

4 What is Risk? Risk is likelihood that some unwanted event could occur.
The probability that a particular threat could cause damage to corporate assets by exploitation any know vulnerabilities.

5 Risk Assessment (NIST SP 800-30)
What is Risk assessment? Risk assessment is a process to determine the potential threats and vulnerability. Step 1 System Characterization Step 2 Threat Identification Step 3 Vulnerability Identification Step 4 Control Analysis Step 5 Likelihood Determination Step 6 Impact Analysis Step 7 Risk Determination Step 8 Control Recommendations Step 9 Results Documentation Defined Risk Assessment and who is involve in this process.

6 Risk Assessment (Step 1 ~ 3)
Step 1 System Characterization Information gathering technique Questionnaire On-site Interviews Document Review Step 2 Threat Identification Source analysis Problem analysis Step 3 Vulnerability Identification Threat/Vulnerability pairing. Characterize in terms of Hardware, Software, System interface (internal and external connectivity), Data and information, Functional requirements, User of the system, Security policies, System architecture, Environmental. Note Physical and Logical.

7 Risk Assessment (Step 4 ~ 6)
Step 4 Control Analysis Technical and non-technical Preventive Control Detective Control Step 5 Likelihood Determination Step 6 Impact Analysis Qualitative vs. Quantitative Preventive Controls inhibits attempts to violate i.e. encryption and authentication Detective controls warn of violations or attempted violations i.e. intrusion detection methods, and checksums.

8 Risk Assessment (Step 4 ~ 6)
Step 7 Risk Determination Risk scale = (Likelihood) x (Impact) Step 8 Control Recommendations Step 9 Results Documentation

9 Risk Mitigation What is Risk Mitigation
Risk mitigation involves prioritizing, evaluating and implementing the appropriate risk-reducing controls recommended from the risk assessment process (From least-cost with most appropriate controls approach). Risk Avoidance (eliminate, withdraw from or not become involved) Risk Reduction (optimize - mitigate) Risk Sharing (transfer – outsource or insure) Risk Retention (accept and budget) Research and Acknowledgement

10 Review and Evaluation Risk assessment result and mitigation plans should be updated or reviewed periodically. Evaluation of selected controls. Evaluation on possible risk level changes. Evaluation on incident response plan. Evaluation on business continuation plan. Evaluation on disaster recovery plan. Due care and due diligence.

11 Problems with Risk management
Too many methodologies. Very time consuming and complex. Ongoing process against one time process.

12 Risk management in terms of QA Team
Hot fixes/Patches Minor releases Major releases

13 Risk Management Activity
A game console manufacturing company is planning to change its firmware from Firmware A to Firmware B. System Characterization: Physical: Internal: Company servers and other infrastructures, technicians, and etc. External: Customer’s game console, and etc. Logical: Internal: Platform A data, Functional requirement, and etc. External: Customer’s saved games, pictures, other data and etc.

14 Risk Management Activity (2)
Threat/Vulnerability Likelihood (L) Impact (Qualitative) Impact (Quantitative) (I) Risk Scale = (L) x (I) Controls/Solutions Threat Actions

15 Reference “Risk Management Guide for Information Technology System.” National Institute of Standards and Technology, Special Publication MISSM 533 lecture note on Risk management


Download ppt "EQAA 11th Session Jamil Kalat-Malho Jong Ho Lee"

Similar presentations


Ads by Google