Security Risk Management

Security Risk Management

Building an Information Security Risk Management Program from the Ground Up

1st Edition - April 20, 2011

Write a review

  • Author: Evan Wheeler
  • Paperback ISBN: 9781597496155
  • eBook ISBN: 9781597496162

Purchase options

Purchase options
Available
DRM-free (PDF, EPub, Mobi)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order

Description

Security Risk Management is the definitive guide for building or running an information security risk management program. This book teaches practical techniques that will be used on a daily basis, while also explaining the fundamentals so students understand the rationale behind these practices. It explains how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive text for managing security risks. This book will help you to break free from the so-called best practices argument by articulating risk exposures in business terms. It includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment. It explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk. It also presents a roadmap for designing and implementing a security risk management program. This book will be a valuable resource for CISOs, security managers, IT managers, security consultants, IT auditors, security analysts, and students enrolled in information security/assurance college programs.

Key Features

  • Named a 2011 Best Governance and ISMS Book by InfoSec Reviews
  • Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment
  • Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk
  • Presents a roadmap for designing and implementing a security risk management program

Readership

CISOs, Security Managers, IT Managers, Security Consultants, IT Auditors, Security Analysts, and Students in Information Security/Assurance college programs

Table of Contents

  • PREFACE

    ACKNOWLEDGMENTS

    ABOUT THE AUTHOR

    ABOUT THE TECHNICAL EDITOR

    PART I. Introduction to Risk Management

    Chapter 1. The Security Evolution

    Information in this Chapter

    Introduction

    How We Got Here

    A Risk-Focused Future

    Information Security Fundamentals

    The Death of Information Security

    Summary

    Chapter 2. Risky Business

    Information in this Chapter

    Introduction

    Applying Risk Management to Information Security

    Business-Driven Security Program

    Security as an Investment

    Qualitative versus Quantitative

    Summary

    Chapter 3. The Risk Management Lifecycle

    Information in this Chapter

    Introduction

    Stages of the Risk Management Lifecycle

    Business Impact Assessment

    A Vulnerability Assessment Is Not a Risk Assessment

    Making Risk Decisions

    Mitigation Planning and Long-Term Strategy

    Process Ownership

    Summary

    PART II. Risk Assessment and Analysis Techniques

    Chapter 4. Risk Profiling

    Information in this Chapter

    Introduction

    How Risk Sensitivity Is Measured

    Asking the Right Questions

    Assessing Risk Appetite

    Summary

    Chapter 5. Formulating a Risk

    Information in this Chapter

    Introduction

    Breaking Down a Risk

    Who or What Is the Threat?

    Summary

    Chapter 6. Risk Exposure Factors

    Information in this Chapter

    Introduction

    Qualitative Risk Measures

    Risk Assessment

    Summary

    Chapter 7. Security Controls and Services

    Information in this Chapter

    Introduction

    Fundamental Security Services

    Recommended Controls

    Summary

    Chapter 8. Risk Evaluation and Mitigation Strategies

    Information in this Chapter

    Introduction

    Risk Evaluation

    Risk Mitigation Planning

    Policy Exceptions and Risk Acceptance

    Summary

    Chapter 9. Reports and Consulting

    Information in this Chapter

    Introduction

    Risk Management Artifacts

    A Consultant’s Perspective

    Writing Audit Responses

    Summary

    Chapter 10. Risk Assessment Techniques

    Information in this Chapter

    Introduction

    Operational Assessments

    Project-Based Assessments

    Third-Party Assessments

    Summary

    PART III. Building and Running a Risk Management Program

    Chapter 11. Threat and Vulnerability Management

    Information in this Chapter

    Introduction

    Building Blocks

    Threat Identification

    Advisories and Testing

    An Efficient Workflow

    The FAIR Approach

    Summary

    Chapter 12. Security Risk Reviews

    Information in this Chapter

    Introduction

    Assessing the State of Compliance

    Implementing a Process

    Process Optimization: A Review of Key Points

    The NIST Approach

    Summary

    Chapter 13. A Blueprint for Security

    Information in this Chapter

    Introduction

    Risk in the Development Lifecycle

    Security Architecture

    Patterns and Baselines

    Architectural Risk Analysis

    Summary

    Chapter 14. Building a Program from Scratch

    Information in this Chapter

    Introduction

    Designing a Risk Program

    Prerequisites for a Risk Management Program

    Risk at the Enterprise Level

    Linking the Program Components

    Program Roadmap

    Summary

    APPENDIX A. Sample Security Risk Profile

    A. General Information

    B. Information Sensitivity

    C. Regulatory Requirements

    D. Business Requirements

    E. Definitions

    APPENDIX B. Qualitative Risk Scale Reference Tables

    APPENDIX C. Architectural Risk Analysis Reference Tables

    Baseline Security Levels and Sample Controls

    Security Enhancement Levels and Sample Controls

    Mapping Security Levels

    Index

Product details

  • No. of pages: 360
  • Language: English
  • Copyright: © Syngress 2011
  • Published: April 20, 2011
  • Imprint: Syngress
  • Paperback ISBN: 9781597496155
  • eBook ISBN: 9781597496162

About the Author

Evan Wheeler

Evan Wheeler currently is a Director of Information Security for Omgeo (A DTCC | Thomson Reuters Company), an instructor at both Clark and Northeastern Universities, and the author of the Information Security Risk Management course for the SANS Institute. Previously he spent six years as a Security Consultant for the U.S. Department of Defense.

Affiliations and Expertise

currently is a Director of Information Security for Omgeo (A DTCC | Thomson Reuters Company), an instructor at both Clark and Northeastern Universities, and the author of the Information Security Risk Management course for the SANS Institute. Previously he spent six years as a Security Consultant for the U.S. Department of Defense.

Ratings and Reviews

Write a review

There are currently no reviews for "Security Risk Management"