|
Front Cover |
1 |
|
|
Security Risk Management: Building an InformationSecurity Risk Management Program from the Ground Up |
4 |
|
|
Copyright |
5 |
|
|
Table of Contents |
6 |
|
|
Preface |
14 |
|
|
Intended Audience |
15 |
|
|
Organization of This Book |
16 |
|
|
Acknowledgments |
20 |
|
|
About the Author |
21 |
|
|
About the Technical Editor |
21 |
|
|
Part I: Introduction to Risk Management |
22 |
|
|
Chapter 1. The Security Evolution |
24 |
|
|
Introduction |
24 |
|
|
How We Got Here |
24 |
|
|
A Risk-Focused Future |
27 |
|
|
Information Security Fundamentals |
29 |
|
|
The Death of Information Security |
37 |
|
|
Summary |
40 |
|
|
References |
40 |
|
|
Chapter 2. Risky Business |
42 |
|
|
Introduction |
42 |
|
|
Applying Risk Management to Information Security |
42 |
|
|
Business-Driven Security Program |
49 |
|
|
Security as an Investment |
55 |
|
|
Qualitative versus Quantitative |
58 |
|
|
Summary |
61 |
|
|
References |
62 |
|
|
Chapter 3. The Risk Management Lifecycle |
64 |
|
|
Introduction |
64 |
|
|
Stages of the Risk Management Lifecycle |
64 |
|
|
Business Impact Assessment |
69 |
|
|
A Vulnerability Assessment Is Not a Risk Assessment |
71 |
|
|
Making Risk Decisions |
74 |
|
|
Mitigation Planning and Long-Term Strategy |
77 |
|
|
Process Ownership |
80 |
|
|
Summary |
81 |
|
|
Part II: Risk Assessment and AnalysisTechniques |
82 |
|
|
Chapter 4. Risk Profiling |
84 |
|
|
Introduction |
84 |
|
|
How Risk Sensitivity Is Measured |
84 |
|
|
Asking the Right Questions |
92 |
|
|
Assessing Risk Appetite |
102 |
|
|
Summary |
105 |
|
|
Reference |
106 |
|
|
Chapter 5. Formulating a Risk |
108 |
|
|
Introduction |
108 |
|
|
Breaking Down a Risk |
108 |
|
|
Who or What Is the Threat? |
116 |
|
|
Summary |
123 |
|
|
References |
124 |
|
|
Chapter 6. Risk Exposure Factors |
126 |
|
|
Introduction |
126 |
|
|
Qualitative Risk Measures |
126 |
|
|
Risk Assessment |
138 |
|
|
Summary |
145 |
|
|
Reference |
146 |
|
|
Chapter 7. Security Controls and Services |
148 |
|
|
Introduction |
148 |
|
|
Fundamental Security Services |
148 |
|
|
Recommended Controls |
165 |
|
|
Summary |
166 |
|
|
Reference |
167 |
|
|
Chapter 8. Risk Evaluation and Mitigation Strategies |
168 |
|
|
Introduction |
168 |
|
|
Risk Evaluation |
168 |
|
|
Risk Mitigation Planning |
175 |
|
|
Policy Exceptions and Risk Acceptance |
177 |
|
|
Summary |
182 |
|
|
Chapter 9. Reports and Consulting |
184 |
|
|
Introduction |
184 |
|
|
Risk Management Artifacts |
184 |
|
|
A Consultant’s Perspective |
186 |
|
|
Writing Audit Responses |
204 |
|
|
Summary |
208 |
|
|
References |
209 |
|
|
Chapter 10. Risk Assessment Techniques |
210 |
|
|
Introduction |
210 |
|
|
Operational Assessments |
210 |
|
|
Project-Based Assessments |
219 |
|
|
Third-Party Assessments |
226 |
|
|
Summary |
232 |
|
|
References |
233 |
|
|
Part III: Building and Running a Risk Management Program |
234 |
|
|
Chapter 11. Threat and Vulnerability Management |
236 |
|
|
Introduction |
236 |
|
|
Building Blocks |
236 |
|
|
Threat Identification |
241 |
|
|
Advisories and Testing |
243 |
|
|
An Efficient Workflow |
249 |
|
|
The FAIR Approach |
251 |
|
|
Summary |
257 |
|
|
References |
258 |
|
|
Chapter 12. Security Risk Reviews |
260 |
|
|
Introduction |
260 |
|
|
Assessing the State of Compliance |
260 |
|
|
Implementing a Process |
263 |
|
|
Process Optimization: A Review of Key Points |
272 |
|
|
The NIST Approach |
274 |
|
|
Summary |
278 |
|
|
References |
278 |
|
|
Chapter 13. A Blueprint for Security |
280 |
|
|
Introduction |
280 |
|
|
Risk in the Development Lifecycle |
280 |
|
|
Security Architecture |
284 |
|
|
Patterns and Baselines |
294 |
|
|
Architectural Risk Analysis |
299 |
|
|
Summary |
304 |
|
|
Reference |
305 |
|
|
Chapter 14. Building a Program from Scratch |
306 |
|
|
Introduction |
306 |
|
|
Designing a Risk Program |
306 |
|
|
Prerequisites for a Risk Management Program |
312 |
|
|
Risk at the Enterprise Level |
316 |
|
|
Linking the Program Components |
319 |
|
|
Program Roadmap |
321 |
|
|
Summary |
323 |
|
|
Reference |
323 |
|
|
Appendix A: Sample Security Risk Profile |
324 |
|
|
A. General Information |
324 |
|
|
B. Information Sensitivity |
324 |
|
|
C Regulatory Requirements |
327 |
|
|
D. Business Requirements |
328 |
|
|
E. Definitions |
329 |
|
|
Appendix B: Qualitative Risk Scale Reference Tables |
330 |
|
|
Appendix C: Architectural Risk Analysis Reference Tables |
334 |
|
|
Baseline Security Levels and Sample Controls |
334 |
|
|
Security Enhancement Levels and Sample Controls |
340 |
|
|
Mapping Security Levels |
348 |
|
|
Index |
352 |
|