- Discusses all types of corporate risks and practical means of defending against them.
- Security is currently identified as a critical area of Information Technology management by a majority of government, commercial, and industrial organizations.
- Offers an effective risk management program, which is the most critical function of an information security program.
Table of Contents:
Preface xiii
About the Authors xv
Part I Industry Practices in Risk Management 1
1. Information Security Risk Management Imperatives and Opportunities 3
1.1 Risk Management Purpose and Scope 3
1.1.1 Purpose of Risk Management 3
1.1.2 Text Scope 17
References 24
Appendix 1A: Bibliography of Related Literature 25
2. Information Security Risk Management Defined 33
2.1 Key Risk Management Definitions 33
2.1.1 Survey of Industry Definitions 33
2.1.2 Adopted Definitions 37
2.2 A Mathematical Formulation of Risk 40
2.2.1 What is Risk? A Formal Definition 44
2.2.2 Risk in IT Environments 44
2.2.3 Risk Management Procedures 49
2.3 Typical Threats/Risk Events 56
2.4 What is an Enterprise Architecture? 61
References 65
Appendix 2A: The CISSPforum/ISO27k Implementers Forum Information Security Risk List for 2008 66
Appendix 2B: What is Enterprise Risk Management (ERM)? 71
3. Information Security Risk Management Standards 73
3.1 ISO/IEC 13335 77
3.2 ISO/IEC 17799 (ISO/IEC 27002:2005) 78
3.3 ISO/IEC 27000 SERIES 78
3.3.1 ISO/IEC 27000, Information Technology—Security Techniques—Information Security Management Systems—Fundamentals and Vocabulary 79
3.3.2 ISO/IEC 27001:2005, Information Technology—Security Techniques—Specification for an Information Security Management System 79
3.3.3 ISO/IEC 27002:2005, Information Technology—Security Techniques—Code of Practice for Information Security Management 84
3.3.4 ISO/IEC 27003 Information Technology—Security Techniques—Information Security Management System Implementation Guidance 90
3.3.5 ISO/IEC 27004 Information Technology—Security Techniques—Information Security Management—Measurement 91
3.3.6 ISO/IEC 27005:2008 Information Technology—Security Techniques—Information Security Risk Management 92
3.4 ISO/IEC 31000 92
3.5 NIST STANDARDS 94
3.5.1 NIST SP 800-16 96
3.5.2 NIST SP 800-30 99
3.5.3 NIST SP 800-39 101
3.6 AS/NZS 4360 105
References 106
Appendix 3A: Organization for Economic CoOperation and Development (OECD) Guidelines for the Security of Information Systems and Networks: Toward a Culture of Security 107
4. A Survey of Available Information Security Risk Management Methods and Tools 111
4.1 Overview 111
4.2 Risk Management/Risk Analysis Methods 114
4.2.1 Austrian IT Security Handbook 114
4.2.2 CCTA Risk Assessment and Management Methodology (CRAMM) 115
4.2.3 Dutch A&K Analysis 117
4.2.4 EBIOS 117
4.2.5 ETSI Threat Vulnerability and Risk Analysis (TVRA) Method 119
4.2.6 FAIR (Factor Analysis of Information Risk) 122
4.2.7 FIRM (Fundamental Information Risk Management) 124
4.2.8 FMEA (Failure Modes and Effects Analysis) 125
4.2.9 FRAP (Facilitated Risk Assessment Process) 128
4.2.10 ISAMM (Information Security Assessment and Monitoring Method) 129
4.2.11 ISO/IEC Baselines 130
4.2.12 ISO 31000 Methodology 130
4.2.13 IT-Grundschutz (IT Baseline Protection Manual) 136
4.2.14 MAGERIT (Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion) (Methodology for Information Systems Risk Analysis and Management) 137
4.2.15 MEHARI (Méthode Harmonisée d’Analyse de Risques—Harmonised Risk Analysis Method) 142
4.2.16 Microsoft’s Security Risk Management Guide 146
4.2.17 MIGRA (Metodologia Integrata per la Gestione del Rischio Aziendale) 152
4.2.18 NIST 153
4.2.19 National Security Agency (NSA) IAM / IEM / IA-CMM 153
4.2.20 Open Source Approach 155
4.2.21 PTA (Practical Threat Analysis) 158
4.2.22 SOMAP (Security Officers Management and Analysis Project) 160
4.2.23 Summary 161
References 162
5. Methodologies Examples: Cobit and Octave 164
5.1 Overview 164
5.2 COBIT 166
5.2.1 COBIT Framework 172
5.2.2 The Need for a Control Framework for IT Governance 173
5.2.3 How COBIT Meets the Need 175
5.2.4 COBIT’s Information Criteria 175
5.2.5 Business Goals and IT Goals 176
5.2.6 COBIT Framework 177
5.2.7 IT Resources 178
5.2.8 Plan and Organize (PO) 180
5.2.9 Acquire and Implement (AI) 180
5.2.10 Deliver and Support (DS) 180
5.2.11 Monitor and Evaluate (ME) 181
5.2.12 Processes Need Controls 181
5.2.13 COBIT Framework 181
5.2.14 Business and IT Controls 184
5.2.15 IT General Controls and Application Controls 185
5.2.16 Maturity Models 187
5.2.17 Performance Measurement 194
5.3 OCTAVE 205
5.3.1 The OCTAVE Approach 205
5.3.2 The OCTAVE Method 208
References 210
Part II Developing Risk Management Teams 211
6. Risk Management Issues and Organization Specifics 213
6.1 Purpose and Scope 213
6.2 Risk Management Policies 216
6.3 A Snapshot of Risk Management in the Corporate World 219
6.3.1 Motivations for Risk Management 224
6.3.2 Justifying Risk Management Financially 225
6.3.3 The Human Factors 230
6.3.4 Priority-Oriented Rational Approach 232
6.4 Overview of Pragmatic Risk Management Process 234
6.4.1 Creation of a Risk Management Team, and Adoption of Methodologies 234
6.4.2 Iterative Procedure for Ongoing Risk Management 236
6.5 Roadmap to Pragmatic Risk Management 236
References 239
Appendix 6A: Example of a Security Policy 239
7. Assessing Organization and Establishing Risk Management Scope 243
7.1 Assessing the Current Enterprise Environment 244
7.2 Soliciting Support From Senior Management 248
7.3 Establishing Risk Management Scope and Boundaries 259
7.4 Defining Acceptable Risk for Enterprise 260
7.5 Risk Management Committee 263
7.6 Organization-Specific Risk Methodology 264
7.6.1 Quantitative Methods 265
7.6.2 Qualitative Methods 267
7.6.3 Other Approaches 269
7.7 Risk Waivers Programs 272
References 274
Appendix 7A: Summary of Applicable Legislation 275
8. Identifying Resources and Implementing the Risk Management Team 280
8.1 Operating Costs to Support Risk Management and Staffing Requirements 281
8.2 Organizational Models 286
8.3 Staffing Requirements 287
8.3.1 Specialized Skills Required 290
8.3.2 Sourcing Options 291
8.4 Risk Management Tools 295
8.5 Risk Management Services 296
8.5.1 Alerting and Analysis Services 296
8.5.2 Assessments, Audits, and Project Consulting 296
8.6 Developing and Implementing the Risk Management/Assessment Team 298
8.6.1 Creating Security Standards 298
8.6.2 Defining Subject Matter Experts 300
8.6.3 Determining Information Sources 300
References 301
Appendix 8A: Sizing Example for Risk Management Team 302
Appendix 8B: Example of Vulnerability Alerts by Vendors and CERT 331
Appendix 8C: Examples of Data Losses—A One-Month Snapshot 336
9. Identifying Assets and Organization Risk Exposures 338
9.1 Importance of Asset Identification and Management 338
9.2 Enterprise Architecture 340
9.3 Identifying IT Assets 346
9.4 Assigning Value to IT Assets 353
9.5 Vulnerability Identification/Classification 354
9.5.1 Base Parameters 360
9.5.2 Temporal Parameters 362
9.5.3 Environmental Parameters 363
9.6 Threat Analysis: Type of Risk Exposures 367
9.6.1 Type of Risk Exposures 368
9.6.2 Internal Team Programs (to Uncover Risk Exposures) 371
9.7 Summary 371
References 371
Appendix 9A: Common Information Systems Assets 372
10. Remediation Planning and Compliance Reporting 377
10.1 Determining Risk Value 377
10.2 Remediation Approaches 380
10.3 Prioritizing Remediations 384
10.4 Determining Mitigating Timeframes 385
10.5 Compliance Monitoring and Security Metrics 387
10.6 Compliance Reporting 390
References 391
Basic Glossary of Terms Used in This Text 392
Index 415
About the Author :
JAKE KOUNS is cofounder, CEO, and CFO of the Open Security Foundation. He holds an MBA in information security from James Madison University and a number of certifications, including ISC2's CISSP, ISACA's CISM, CISA, and CGEIT.
DANIEL MINOLI is an expert in the fields of IT, telecommunications, and networking, with work experience at Capital One Financial, Prudential Securities, and AT&T, among others. He is the founder and President Emeritus of the IPv6 Institute. He is the author or coauthor of several books on IT, security, and networking, including Minoli-Cordovana's Authoritative Computer and Network Security Dictionary and Network Infrastructure and Architecture: Designing High Availability Networks, both published by Wiley.
Review :
"Throughout, practical examples are included from various healthcare, manufacturing, and retail industries that demonstrate key concepts, implementation guidance to get started, as well as tables of risk indicators and metrics, physical structure diagrams, and graphs". (PR-Inside.com, 29 March 2011)
