Security Risk Management book cover

Security Risk Management

Building an Information Security Risk Management Program from the Ground Up

The goal of Security Risk Management is to teach you practical techniques that will be used on a daily basis, while also explaining the fundamentals so you understand the rationale behind these practices. Security professionals often fall into the trap of telling the business that they need to fix something, but they can’t explain why. This book will help you to break free from the so-called "best practices" argument by articulating risk exposures in business terms. You will learn techniques for how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive guide for managing security risks.

Audience

CISOs, Security Managers, IT Managers, Security Consultants, IT Auditors, Security Analysts, and Students in Information Security/Assurance college programs

Paperback, 360 Pages

Published: May 2011

Imprint: Syngress

ISBN: 978-1-59749-615-5

Reviews

  • "Evan Wheeler has developed a much needed new approach to the field of security risk management. Readers familiar with this field of study will find that it does what he says he wants it to do: shake the old risk paradigms out of their roots and plant something fresh and useful today."--Dennis Treece, Colonel, US Army (Retired)/Chief Security Officer, Massachusetts Port Authority-Boston

    "Wheeler’s book is predominantly a practitioner’s guide to security risk management but can also be used as a teaching text to help engineers, students of security, information assurance, or information systems more broadly. The key message that Wheeler is emphasizing is that risk is at the core of security, and at the heart of every business. Despite that the book lacks key referencing from academic literature, it can still be used as the basis for setting a large-scale team assignment on devising a risk management program from the ground up for a real organisation. Security professionals in banks will particularly find the book relevant."--Computers and Security

    "This book is packed with practical
tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of the subjects covered. This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. …his book is recommended, in particular, for those beginning a career in Risk Management. It also provides a useful reference for current risk professionals who perhaps could benefit from a book that helps refine and further improve their current skillset."--Best Governance and ISMS Books in InfoSecReviews Book Awards

    "Evan Wheeler’s book, Security Risk Management, provides security and business continuity practitioners with the ability to thoroughly plan and build a solid security risk management program. The buzz words that are used throughout the corporate risk management industry today are often misused or overused. Wheeler breaks down such terms, translating them for the reader and articulating how they apply to a security risk management program. He believes risk managers should consider banning the term "best practices" from their vocabulary; he doesn’t think one size fits all when creating a security risk management program… Building an information security risk management program from the ground up is a monumental task that requires various business units to react and adopt change to move a business forward. This book provides valuable information for security, IT, and business continuity professionals on creating such a program."--Security Management


Contents

  • Part I - Introduction to Risk Management
    Chapter 1. The Security Evolution
    Introduction
    How We Got Here
    A Risk Focused Future
    Information Security Fundamentals
    The Death of Information Security
    Summary
    References

    Chapter 2. Risky Business
    Introduction
    Applying Risk Management to Information Security
    Business Driven Security Program
    Security as an Investment
    Qualitative vs. Quantitative
    Summary
    References

    Chapter 3. The Risk Management Lifecycle
    Introduction
    Stages of the Risk Management Lifecycle
    Business Impact Assessment
    A Vulnerability Assessment Is Not A Risk Assessment
    Making Risk Decisions
    Mitigation Planning & Long-term Strategy
    Process Ownership
    Summary

    Part II - Risk Assessment and Analysis Techniques

    Chapter 4. Risk Profiling
    Introduction
    How Risk Sensitivity is Measured
    Asking the Right Questions
    Assessing Risk Appetite
    Summary
    References

    Chapter 5. Formulating a Risk
    Introduction
    Breaking Down a Risk
    Who or What is the Threat?
    Summary
    References

    Chapter 6. Risk Exposure Factors
    Introduction
    Qualitative Risk Measures
    Summary
    References

    Chapter 7. Security Controls & Services
    Introduction
    Fundamental Security Services
    Recommended Controls
    Summary
    References

    Chapter 8. Risk Evaluation & Mitigation Strategies
    Introduction
    Risk Evaluation
    Risk Mitigation Planning
    Policy Exceptions and Risk Acceptance
    Summary

    Chapter 9. Reports & Consulting
    Introduction
    Risk Management Artifacts
    A Consultant’s Perspective
    Writing Audit Responses
    Summary
    References

    Chapter 10. Risk Assessment Techniques
    Introduction
    Operational Assessments
    Project-based Assessments
    Third-Party Assessments
    Summary
    References

    Part III - Building and Running a Risk Management Program

    Chapter 11. Threat & Vulnerability Management
    Introduction
    Building Blocks
    Threat Identification
    An Efficient Workflow
    The FAIR Approach
    Summary
    References

    Chapter 12. Security Risk Reviews
    Introduction
    Assessing the State of Compliance
    Implementing a Process
    Process Optimization: A Review of Key Points
    The NIST Approach
    Summary
    References

    Chapter 13. A Blueprint for Security
    Introduction
    Risk in the Development Lifecycle
    Security Architecture
    Patterns & Baselines
    Architectural Risk Analysis
    Summary
    References

    Chapter 14. Building a Program from Scratch
    Introduction
    Designing a Risk Program
    Prerequisites for a Risk Management Program
    Risk at the Enterprise Level
    Linking the Program Components
    Program Roadmap
    Summary
    References

    Appendix A. Security Risk Profile
    Appendix B. Risk Models and Scales
    Appendix C - Architectural Risk Analysis Reference Tables

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

Advertisement

advert image