Professional Documents
Culture Documents
& RISK
MANAGEMENT
SESSION 7 & 8
OUTLINE
RISK ASSESSMENT TECHNIQUE AND 2 PROJECT-BASED ASSESSMENTS
THREAT AND VULNERABILITY MANAGEMENT
3 THIRD-PARTY ASSESSMENTS
4 BUILDING BLOCKS AND THREAT
IDENTIFICATION
Arrange questions then disseminate Use tools to test system security Third party assessment of the level of
orally or in writing system security and provision of
certification
2
PROJECT-BASED ASSESSMENTS
PREP WORK
Pre-session meeting to discuss the B
objectives of risk assessment,
agenda, and format which will be THE FRAAP APPROACH
discussed later A • Implemented within a
predetermined period of time
• Encourage teams to raise problems
and identify risks
THIRD-PARTY
ASSESSMENTS
MAIN ISSUES
- Lack of an industry standard format for vendor risk assessment questionnaires
- Lack of a universally accepted certification
1 2
Risk Scale
Establish a risk scale qualitatively
3 4 Workflow
Determine workflow in processing
new risks
THREAT
IDENTIFICATION
Identify sources of threats that have the potential to exploit system
weaknesses
How to identify:
1. Focus on certain aspects such as the magnitude of the threat
then internal / external threats
2. Look at threat intelligence reports to observe threat activities
3. Using observed internal security incident statistics
Source of threat information
1. Certain Organizational Periodic Reports
2. Vendor
3. Internal Testing
ADVISORIES & TESTING
RATING VULNERABILITIES
MODERATE
A vulnerability that can indirectly contribute to
illegal or unknown activities
APPROACH
timeframe.
Threat Event
Vulnerability
Frequency
Threat
Capability
Control
Strength
THREAT EVENT FREQUENCY
(TEF)
THREAT CAPABILITY
CONTROL STRENGTH
VULNERABILITY
LOSS EVENT FREQUENCY
(LEF)
PROBABLE LOSS MAGNITUDE
(PLM)
RISK EXPOSURE
THANK YOU