Title:
Information security risk assessment toolkit : practical assessments through data collection and data analysis
Personal Author:
Publication Information:
Amsterdam : Boston : Elsevier, c2013
Physical Description:
xix, 258 p. : ill. ; 24 cm.
ISBN:
9781597497350
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010301425 | QA76.9.A25 T354 2013 | Open Access Book | Book | Searching... |
Searching... | 30000010243230 | QA76.9.A25 T354 2013 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
In order to protect company's information assets such as sensitive customer records, health care records, etc., the security practitioner first needs to find out: what needs protected, what risks those assets are exposed to, what controls are in place to offset those risks, and where to focus attention for risk treatment. This is the true value and purpose of information security risk assessments. Effective risk assessments are meant to provide a defendable analysis of residual risk associated with your key assets so that risk treatment options can be explored. Information Security Risk Assessment Toolkit gives you the tools and skills to get a quick, reliable, and thorough risk assessment for key stakeholders.
Author Notes
Mark Ryan M. Talabis is a Manager within the Secure DNA Consulting practice
Jason L. Martin is the co-Founder and President of Secure DNA Consulting
Table of Contents
| Acknowledgments | p. xiii |
| About the Technical Editor | p. xv |
| About the Authors | p. xvii |
| Introduction | p. xix |
| Chapter 1 Information Security Risk Assessments | p. 1 |
| Introduction | p. 1 |
| What is Risk? | p. 1 |
| Going Deeper with Risk | p. 3 |
| Components of Risk | p. 4 |
| Putting it All Together | p. 6 |
| Information Security Risk | p. 6 |
| What is an Information Security Risk Assessment? | p. 10 |
| Why Assess Information Security Risk? | p. 11 |
| Risk Assessments and the Security Program | p. 12 |
| Information Risk Assessments Activities in a Nutshell | p. 13 |
| Drivers, Laws, and Regulations | p. 19 |
| Federal Information Security Management Act of 2002 (FISMA) | p. 19 |
| Gramm-Leach-Bliley Act (GLBA) | p. 21 |
| Health Insurance Portability and Accountability Act (HIPAA) | p. 22 |
| State Governments | p. 23 |
| ISO 27001 | p. 23 |
| Summary | p. 25 |
| What is Risk? | p. 25 |
| What is an Information Security Risk Assessment? | p. 25 |
| Drivers, Laws, and Regulations | p. 26 |
| References | p. 26 |
| Chapter 2 Information Security Risk Assessment: A Practical Approach | p. 27 |
| Introduction | p. 27 |
| A Primer on Information Security Risk Assessment Frameworks | p. 27 |
| Do I Use an Existing Framework or Should I Use My Own? | p. 28 |
| Octave | p. 28 |
| Fair | p. 35 |
| NIST SP800-30 | p. 41 |
| ISO 27005 | p. 49 |
| A Comparison of the Major Activities for the Four Frameworks | p. 51 |
| A Comparison of the Major Activities for the Four Frameworks Based on Activities | p. 52 |
| Our Risk Assessment Approach | p. 52 |
| Summary | p. 62 |
| Chapter 3 Information Security Risk Assessment: Data Collection | p. 63 |
| Introduction | p. 63 |
| The Sponsor | p. 64 |
| The Project Team | p. 66 |
| The Size and Breadth of the Risk Assessment | p. 66 |
| Scheduling and Deadlines | p. 67 |
| Assessor and Organization Experience | p. 67 |
| Workload | p. 67 |
| Data Collection Mechanisms | p. 69 |
| Collectors | p. 69 |
| Containers | p. 71 |
| Executive Interviews | p. 73 |
| Document Requests | p. 77 |
| IT Asset Inventories | p. 80 |
| Asset Scoping | p. 82 |
| Interviews | p. 83 |
| Asset Scoping Workshops | p. 83 |
| Business Impact Analysis and Other Assessments | p. 85 |
| Critical Success Factor Analysis | p. 85 |
| The Asset Profile Survey | p. 86 |
| Who Do You Ask for information? | p. 87 |
| How Do You Ask for the Information? | p. 87 |
| What Do You Ask for? | p. 88 |
| The Control Survey | p. 91 |
| Who Do You Ask for Information? | p. 91 |
| How Do You Ask for Information? | p. 92 |
| What Do You Ask for? | p. 92 |
| Organizational vs. System Specific | p. 93 |
| Scale vs. Yes or No | p. 95 |
| Inquiry vs. Testing | p. 96 |
| Survey Support Activities and Wrap-Up | p. 97 |
| Before and During the Survey | p. 97 |
| Review of Survey Responses | p. 97 |
| Post-Survey Verifications | p. 98 |
| Consolidation | p. 98 |
| Chapter 4 Information Security Risk Assessment: Data Analysis | p. 105 |
| Introduction | p. 105 |
| Compiling Observations from Organizational Risk Documents | p. 106 |
| Preparation of Threat and Vulnerability Catalogs | p. 109 |
| Threat Catalog | p. 109 |
| Vulnerability Catalog | p. 110 |
| Threat Vulnerability Pairs | p. 112 |
| Overview of the System Risk Computation | p. 113 |
| Designing the Impact Analysis Scheme | p. 114 |
| Confidentiality | p. 114 |
| Integrity | p. 116 |
| Availability | p. 117 |
| Preparing the Impact Score | p. 118 |
| Practical Tips | p. 121 |
| Designing the Control Analysis Scheme | p. 122 |
| Practical Tips | p. 126 |
| Designing the Likelihood Analysis Scheme | p. 126 |
| Exposure | p. 127 |
| Frequency | p. 132 |
| Controls | p. 134 |
| Likelihood | p. 135 |
| Putting it Together and the Final Risk Score | p. 140 |
| Chapter 5 Information Security Risk Assessment: Risk Assessment | p. 147 |
| Introduction | p. 147 |
| System Risk Analysis | p. 148 |
| Risk Classification | p. 148 |
| Risk Rankings | p. 151 |
| Individual System Risk Reviews | p. 157 |
| Threat and Vulnerability Review | p. 162 |
| Review Activities for Organizational Risk | p. 167 |
| Review of Security Threats and Trends | p. 168 |
| Review of Audit Findings | p. 170 |
| Review of Security Incidents | p. 171 |
| Review of Security Exceptions | p. 172 |
| Review of Security Metrics | p. 173 |
| Risk Prioritization and Risk Treatment | p. 175 |
| Chapter 6 Information Security Risk Assessment: Risk Prioritization and Treatment | p. 177 |
| Introduction | p. 177 |
| Organizational Risk Prioritization and Treatment | p. 178 |
| Review of Security Threats and Trends | p. 178 |
| Review of Audit Findings | p. 179 |
| Review of Security Incidents | p. 179 |
| Review of Security Exceptions | p. 180 |
| Review of Security Metrics | p. 180 |
| System Specific Risk Prioritization and Treatment | p. 183 |
| Issues Register | p. 187 |
| Chapter 7 Information Security Risk Assessment: Reporting | p. 195 |
| Introduction | p. 195 |
| Outline | p. 196 |
| Risk Analysis Executive Summary | p. 197 |
| Methodology | p. 199 |
| Organizational | p. 199 |
| System Specific | p. 201 |
| Results | p. 204 |
| Organizational Analysis | p. 204 |
| System Specific | p. 208 |
| Risk Register | p. 224 |
| Conclusion | p. 228 |
| Appendices | p. 229 |
| Chapter 8 Information Security Risk Assessment: Maintenance and Wrap Up | p. 233 |
| Introduction | p. 233 |
| Process Summary | p. 233 |
| Data Collection | p. 234 |
| Data Analysis | p. 234 |
| Risk Analysis | p. 235 |
| Reporting | p. 235 |
| Key Deliverables | p. 235 |
| Post Mortem | p. 236 |
| Scoping | p. 237 |
| Executive Interviews | p. 237 |
| System Owners and Stewards | p. 238 |
| Document Requests | p. 238 |
| System Profile and Control Survey | p. 238 |
| Analysis | p. 239 |
| Reporting | p. 240 |
| General Process | p. 240 |
| Index | p. 251 |
