Details

<p>Preface xiii</p> <p>About the Authors xv</p> <p><b>Part I Industry Practices in Risk Management 1</b></p> <p><b>1. Information Security Risk Management Imperatives and Opportunities 3</b></p> <p>1.1 Risk Management Purpose and Scope 3</p> <p>1.1.1 Purpose of Risk Management 3</p> <p>1.1.2 Text Scope 17</p> <p>References 24</p> <p>Appendix 1A: Bibliography of Related Literature 25</p> <p><b>2. Information Security Risk Management Defined 33</b></p> <p>2.1 Key Risk Management Definitions 33</p> <p>2.1.1 Survey of Industry Definitions 33</p> <p>2.1.2 Adopted Definitions 37</p> <p>2.2 A Mathematical Formulation of Risk 40</p> <p>2.2.1 What is Risk? A Formal Definition 44</p> <p>2.2.2 Risk in IT Environments 44</p> <p>2.2.3 Risk Management Procedures 49</p> <p>2.3 Typical Threats/Risk Events 56</p> <p>2.4 What is an Enterprise Architecture? 61</p> <p>References 65</p> <p>Appendix 2A: The CISSPforum/ISO27k Implementers Forum Information Security Risk List for 2008 66</p> <p>Appendix 2B: What is Enterprise Risk Management (ERM)? 71</p> <p><b>3. Information Security Risk Management Standards 73</b></p> <p>3.1 ISO/IEC 13335 77</p> <p>3.2 ISO/IEC 17799 (ISO/IEC 27002:2005) 78</p> <p>3.3 ISO/IEC 27000 SERIES 78</p> <p>3.3.1 ISO/IEC 27000, Information Technology—Security Techniques—Information Security Management Systems—Fundamentals and Vocabulary 79</p> <p>3.3.2 ISO/IEC 27001:2005, Information Technology—Security Techniques—Specification for an Information Security Management System 79</p> <p>3.3.3 ISO/IEC 27002:2005, Information Technology—Security Techniques—Code of Practice for Information Security Management 84</p> <p>3.3.4 ISO/IEC 27003 Information Technology—Security Techniques—Information Security Management System Implementation Guidance 90</p> <p>3.3.5 ISO/IEC 27004 Information Technology—Security Techniques—Information Security Management—Measurement 91</p> <p>3.3.6 ISO/IEC 27005:2008 Information Technology—Security Techniques—Information Security Risk Management 92</p> <p>3.4 ISO/IEC 31000 92</p> <p>3.5 NIST STANDARDS 94</p> <p>3.5.1 NIST SP 800-16 96</p> <p>3.5.2 NIST SP 800-30 99</p> <p>3.5.3 NIST SP 800-39 101</p> <p>3.6 AS/NZS 4360 105</p> <p>References 106</p> <p>Appendix 3A: Organization for Economic CoOperation and Development (OECD) Guidelines for the Security of Information Systems and Networks: Toward a Culture of Security 107</p> <p><b>4. A Survey of Available Information Security Risk Management Methods and Tools 111</b></p> <p>4.1 Overview 111</p> <p>4.2 Risk Management/Risk Analysis Methods 114</p> <p>4.2.1 Austrian IT Security Handbook 114</p> <p>4.2.2 CCTA Risk Assessment and Management Methodology (CRAMM) 115</p> <p>4.2.3 Dutch A&K Analysis 117</p> <p>4.2.4 EBIOS 117</p> <p>4.2.5 ETSI Threat Vulnerability and Risk Analysis (TVRA) Method 119</p> <p>4.2.6 FAIR (Factor Analysis of Information Risk) 122</p> <p>4.2.7 FIRM (Fundamental Information Risk Management) 124</p> <p>4.2.8 FMEA (Failure Modes and Effects Analysis) 125</p> <p>4.2.9 FRAP (Facilitated Risk Assessment Process) 128</p> <p>4.2.10 ISAMM (Information Security Assessment and Monitoring Method) 129</p> <p>4.2.11 ISO/IEC Baselines 130</p> <p>4.2.12 ISO 31000 Methodology 130</p> <p>4.2.13 IT-Grundschutz (IT Baseline Protection Manual) 136</p> <p>4.2.14 MAGERIT (Metodologia de Analisis y Gestion de Riesgos de los Sistemas de Informacion) (Methodology for Information Systems Risk Analysis and Management) 137</p> <p>4.2.15 MEHARI (Méthode Harmonisée d’Analyse de Risques—Harmonised Risk Analysis Method) 142</p> <p>4.2.16 Microsoft’s Security Risk Management Guide 146</p> <p>4.2.17 MIGRA (Metodologia Integrata per la Gestione del Rischio Aziendale) 152</p> <p>4.2.18 NIST 153</p> <p>4.2.19 National Security Agency (NSA) IAM / IEM / IA-CMM 153</p> <p>4.2.20 Open Source Approach 155</p> <p>4.2.21 PTA (Practical Threat Analysis) 158</p> <p>4.2.22 SOMAP (Security Officers Management and Analysis Project) 160</p> <p>4.2.23 Summary 161</p> <p>References 162</p> <p><b>5. Methodologies Examples: Cobit and Octave 164</b></p> <p>5.1 Overview 164</p> <p>5.2 COBIT 166</p> <p>5.2.1 COBIT Framework 172</p> <p>5.2.2 The Need for a Control Framework for IT Governance 173</p> <p>5.2.3 How COBIT Meets the Need 175</p> <p>5.2.4 COBIT’s Information Criteria 175</p> <p>5.2.5 Business Goals and IT Goals 176</p> <p>5.2.6 COBIT Framework 177</p> <p>5.2.7 IT Resources 178</p> <p>5.2.8 Plan and Organize (PO) 180</p> <p>5.2.9 Acquire and Implement (AI) 180</p> <p>5.2.10 Deliver and Support (DS) 180</p> <p>5.2.11 Monitor and Evaluate (ME) 181</p> <p>5.2.12 Processes Need Controls 181</p> <p>5.2.13 COBIT Framework 181</p> <p>5.2.14 Business and IT Controls 184</p> <p>5.2.15 IT General Controls and Application Controls 185</p> <p>5.2.16 Maturity Models 187</p> <p>5.2.17 Performance Measurement 194</p> <p>5.3 OCTAVE 205</p> <p>5.3.1 The OCTAVE Approach 205</p> <p>5.3.2 The OCTAVE Method 208</p> <p>References 210</p> <p><b>Part II Developing Risk Management Teams 211</b></p> <p><b>6. Risk Management Issues and Organization Specifics 213</b></p> <p>6.1 Purpose and Scope 213</p> <p>6.2 Risk Management Policies 216</p> <p>6.3 A Snapshot of Risk Management in the Corporate World 219</p> <p>6.3.1 Motivations for Risk Management 224</p> <p>6.3.2 Justifying Risk Management Financially 225</p> <p>6.3.3 The Human Factors 230</p> <p>6.3.4 Priority-Oriented Rational Approach 232</p> <p>6.4 Overview of Pragmatic Risk Management Process 234</p> <p>6.4.1 Creation of a Risk Management Team, and Adoption of Methodologies 234</p> <p>6.4.2 Iterative Procedure for Ongoing Risk Management 236</p> <p>6.5 Roadmap to Pragmatic Risk Management 236</p> <p>References 239</p> <p>Appendix 6A: Example of a Security Policy 239</p> <p><b>7. Assessing Organization and Establishing Risk Management Scope 243</b></p> <p>7.1 Assessing the Current Enterprise Environment 244</p> <p>7.2 Soliciting Support From Senior Management 248</p> <p>7.3 Establishing Risk Management Scope and Boundaries 259</p> <p>7.4 Defining Acceptable Risk for Enterprise 260</p> <p>7.5 Risk Management Committee 263</p> <p>7.6 Organization-Specific Risk Methodology 264</p> <p>7.6.1 Quantitative Methods 265</p> <p>7.6.2 Qualitative Methods 267</p> <p>7.6.3 Other Approaches 269</p> <p>7.7 Risk Waivers Programs 272</p> <p>References 274</p> <p>Appendix 7A: Summary of Applicable Legislation 275</p> <p><b>8. Identifying Resources and Implementing the Risk Management Team 280</b></p> <p>8.1 Operating Costs to Support Risk Management and Staffing Requirements 281</p> <p>8.2 Organizational Models 286</p> <p>8.3 Staffing Requirements 287</p> <p>8.3.1 Specialized Skills Required 290</p> <p>8.3.2 Sourcing Options 291</p> <p>8.4 Risk Management Tools 295</p> <p>8.5 Risk Management Services 296</p> <p>8.5.1 Alerting and Analysis Services 296</p> <p>8.5.2 Assessments, Audits, and Project Consulting 296</p> <p>8.6 Developing and Implementing the Risk Management/Assessment Team 298</p> <p>8.6.1 Creating Security Standards 298</p> <p>8.6.2 Defining Subject Matter Experts 300</p> <p>8.6.3 Determining Information Sources 300</p> <p>References 301</p> <p>Appendix 8A: Sizing Example for Risk Management Team 302</p> <p>Appendix 8B: Example of Vulnerability Alerts by Vendors and CERT 331</p> <p>Appendix 8C: Examples of Data Losses—A One-Month Snapshot 336</p> <p><b>9. Identifying Assets and Organization Risk Exposures 338</b></p> <p>9.1 Importance of Asset Identification and Management 338</p> <p>9.2 Enterprise Architecture 340</p> <p>9.3 Identifying IT Assets 346</p> <p>9.4 Assigning Value to IT Assets 353</p> <p>9.5 Vulnerability Identification/Classification 354</p> <p>9.5.1 Base Parameters 360</p> <p>9.5.2 Temporal Parameters 362</p> <p>9.5.3 Environmental Parameters 363</p> <p>9.6 Threat Analysis: Type of Risk Exposures 367</p> <p>9.6.1 Type of Risk Exposures 368</p> <p>9.6.2 Internal Team Programs (to Uncover Risk Exposures) 371</p> <p>9.7 Summary 371</p> <p>References 371</p> <p>Appendix 9A: Common Information Systems Assets 372</p> <p><b>10. Remediation Planning and Compliance Reporting 377</b></p> <p>10.1 Determining Risk Value 377</p> <p>10.2 Remediation Approaches 380</p> <p>10.3 Prioritizing Remediations 384</p> <p>10.4 Determining Mitigating Timeframes 385</p> <p>10.5 Compliance Monitoring and Security Metrics 387</p> <p>10.6 Compliance Reporting 390</p> <p>References 391</p> <p>Basic Glossary of Terms Used in This Text 392</p> <p>Index 415</p>

"Throughout, practical examples are included from various healthcare, manufacturing, and retail industries that demonstrate key concepts, implementation guidance to get started, as well as tables of risk indicators and metrics, physical structure diagrams, and graphs". (PR-Inside.com, 29 March 2011)

<p><b>JAKE KOUNS</b> is cofounder, CEO, and CFO of the Open Security Foundation. He holds an MBA in information security from James Madison University and a number of certifications, including ISC2's CISSP, ISACA's CISM, CISA, and CGEIT. <p><b>DANIEL MINOLI</b> is an expert in the fields of IT, telecommunications, and networking, with work experience at Capital One Financial, Prudential Securities, and AT&T, among others. He is the founder and President Emeritus of the IPv6 Institute. He is the author or coauthor of several books on IT, security, and networking, including <i>Minoli-Cordovana's Authoritative Computer and Network Security Dictionary</i> and <i>Network Infrastructure and Architecture: Designing High Availability Networks</i>, both published by Wiley.

<p><b>LEARN HOW AN ORGANIZATION NEEDS TO POSITION ITSELF TO PROPERLY HANDLE RISKS TO ITS CRITICAL ASSETS</b> <p><i>Information Technology Risk Management in Enterprise Environments</i> provides a comprehensive review of industry approaches, practices, and standards on how to handle the ever-increasing risks to organizations' business-critical assets. Through a practical approach, this book explores key topics that enable readers to uncover and remediate potential infractions. The authors present an effective risk management program by providing: <ul> <li>An overview of risk assessment, mitigation, and management approaches and methodologies</li> <li>Processes for developing a repeatable program for technological issues and human resources</li> <li>Definitions of key concepts and security standards in the area of risk management</li> <li>Analytical techniques for assessing the amount of risk and the benefit of risk remediation</li> <li>Information on the development and implementation of the risk management team</li> </ul> <p><i>Information Technology Risk Management in Enterprise Environments</i> details fundamental corporate risks and outlines how they can be avoided. It is an essential resource for information security managers and analysts, system developers, auditors, consultants, and students in understanding the IT resources, procedures, and tools to identify and handle technology and security risks.

US