PERFORMING

A RISK ASSESSMENT

Flourensia Sapty Rahayu S.T., M.Kom.

Program Studi Sistem Informasi
FTI – UAJY – 2018
 Risk Assessment Steps
1. Identify assets and activities to address.
2. Identify and evaluate relevant threats.
3. Identify and evaluate relevant vulnerabilities.
4. Identify and evaluate relevant countermeasures.
5. Assess threats, vulnerabilities, and exploits.
6. Evaluate risks.
7. Develop recommendations to mitigate risks.
8. Present recommendations to management.
 Risk Assessment Steps
• Before progressing with the RA, you need to
complete two preliminary actions.
• These are:
1. Define the assessment.
2. Review previous findings.
 Risk Assessment Steps
1. Defining the assessment
• You need to clearly define what you’ll assess. If
it’s a system, you need to describe the system.
If it’s a process, you need to describe the
process.
• When describing the system or process, you will
often focus on two primary areas:
– Operational characteristics
– Mission of the system
 Risk Assessment Steps
• Operational characteristics
– Operational characteristics define how the system
operates in your environment.
– It’s not enough to just name the system, such as
“E-mail server.” Instead, you need to identify how
the system is currently configured and operating.
 Risk Assessment Steps
• Mission of the Systems
– The mission of the system defines what the system does.
– For example, an e-mail system could have the following mission:
The e-mail server provides all e-mail services for the network. This
includes the following functions:
• Routing e-mail between internal clients
• Accepting e-mail from external e-mail servers and routing to internal
client
• Accepting e-mail from internal clients and routing to external e-mail
servers
• Scanning all e-mail attachments and removing malware
• Scanning all e-mail for spam and stripping out confirmed spam
 Risk Assessment Steps
2. Review Previous Finding
• If previous audits or risk assessments are
available, you should review them.
Identifying the Management Structure
• The management structure refers to how
responsibilities are assigned.
• A small organization may have a single IT section.
This single section is responsible for all IT systems
and processes.
• However, a larger organization may have multiple IT
sections or divisions. In this case, various managers
or management teams oversee different IT systems.
Each manager has different responsibilities.
Identifying the Management Structure
• A small organization may perform a risk
assessment for many systems at the same
time. However, a larger organization will likely
separate the risk assessments.
Identifying Assets and Activities Within Risk
Assessment Boundaries

• Asset valuation is the process of determining

the fair market value of an asset.
• This is one of the first priorities of risk
management.
• Once you know the value of your assets, you
can then prioritize their importance.
Identifying Assets and Activities Within Risk
Assessment Boundaries
• When considering the value of an asset, you can look at it from
different perspectives:
– Replacement value—This is the cost to purchase a new asset in its
place. For example, if a laptop fails or is stolen, the price to purchase a
new laptop with similar hardware and software may be $1,500.
– Recovery value—This is the cost to get the asset operational after a
failure.
For example, if the hard drive on a server fails, you wouldn’t replace the
entire server. Instead, you’d replace the hard drive and take steps to
recover the system. This may require you to reinstall the operating
system and restore data from a backup. You would also consider the
time needed to perform the repair. For example, if a repair requires two
hours, the system is not available for two hours. If it’s a Web server
generating $10,000 an hour in revenue, you would include $20,000 as
part of the recovery value.
Identifying and Evaluating Relevant Threats

• A threat is any potential danger. The danger

can be to the data, the hardware, or the
systems.
• A threat assessment is the process of
identifying threats.
• It’s important to understand how threats
interact with risks as a whole.
Identifying and Evaluating Relevant Threats

• You can use one of two primary methods to

identify threats. They are:
– Review historical data
– Modeling
Identifying and Evaluating Relevant Threats

• Review historical data

– History often repeats itself. This is true in so many
areas of life. It’s also true with IT systems.
– You can save yourself a lot of time by reviewing
historical data to identify realistic threats.
Identifying and Evaluating Relevant Threats

• Threat modeling is a process used to identify

possible threats on a system.
• It attempts to look at a system from the
attacker’s perspective.
• The result of threat modeling is a document
called a threat model.
Identifying and Evaluating Relevant Threats

• The threat model provides information on:

– The system—This includes background information on the
system.
– Threat profile—This is a list of threats. It identifies what
the attacker may try to do to the system, including possible
goals of the attack. For example, one attack may attempt
to take the system down. Another attack may attempt to
access data in the system.
– Threat analysis—Each threat in the threat profile is
analyzed to determine if an asset is vulnerable. Threat
analysis includes review existing controls to determine
their effectiveness against the threat.
 Identifying and Evaluating Relevant
Vulnerabilities
Two things are certainly related to vulnerabilities:
• All systems have vulnerabilities—You can’t eliminate
all vulnerabilities any more than you can eliminate all
risks. Your goal is to identify the relevant vulnerabilities.
You can then choose to implement controls to reduce the
weakness.
• Not all vulnerabilities result in a loss—It’s only when the
threat and vulnerability come together as a
threat/vulnerability pair that a loss occurs. You only need
to identify and evaluate the relevant vulnerabilities.
 Identifying and Evaluating Relevant
Vulnerabilities
• One of the ways to identify and evaluate
vulnerabilities is by using assessments.
• The two primary assessments are:
– Vulnerability assessments
A vulnerability assessment is a process used to discover
weaknesses in a system
– Exploit assessments
An exploit assessment attempts to discover what
vulnerabilities an attacker can exploit. Exploit assessments
are also referred to as “penetration tests.”
Identifying and Evaluating Countermeasures

• A countermeasure is a security control or a safeguard.

• You implement a countermeasure to reduce a risk.
• You can reduce a risk by reducing vulnerabilities or by
reducing the impact of the threat.
• When identifying and evaluating the countermeasures, you
should consider:
– In-place controls—These are controls that are currently installed in
the operational system.
– Planned controls—These are controls that have a specified
implementation date.
– Control categories—Controls fall into three primary categories:
administrative controls, technical controls, and physical controls.
When reviewing all of the controls, you should consider the purpose.
 Discussion
• Ambil contoh salah satu resiko yang telah
anda identifikasi pada studi kasus anda, lalu
identifikasilah:
– Administrative control
– Technical control
– Physical control
untuk resiko tersebut.
 Selecting a Methodology Based on
Assessment Needs
• Once you have identified and evaluated the
elements individually, you need to calculate
the associated risk.
• The two primary methodologies that you can
use:
– Quantitative
– Qualitative
Develop Mitigating Recommendations
• After performing the analysis, you can provide specific
recommendations.
• These recommendations should mitigate the risks.
• You can include the data you’ve collected to support
the recommendations.
• Supporting data may include:
– Threat/vulnerability pairs
– Estimate of cost and time to implement
– Estimate of operational impact
– Cost-benefit analysis
 Present Risk Assessment Results
• After you complete the RA, you create a
report documenting the results.
• This report should include two phases:
– In the first phase, you present the
recommendations to management.
– In the second phase, you document the decisions
made by management. You then create a plan of
actions and milestones (POAM).