Security Risk Management - 1st Edition - ISBN: 9781597496155, 9781597496162

Security Risk Management

1st Edition

Building an Information Security Risk Management Program from the Ground Up

Authors: Evan Wheeler
eBook ISBN: 9781597496162
Paperback ISBN: 9781597496155
Imprint: Syngress
Published Date: 17th May 2011
Page Count: 360
Sales tax will be calculated at check-out Price includes VAT/GST
In Stock
In Stock
In Stock
Sorry, this product is currently out of stock.
Sorry, we aren’t shipping this product to your region at this time.
38.95
49.95
57.23
34.99
Unavailable
Price includes VAT/GST
30.99
38.95
49.95
Unavailable
Price includes VAT/GST
× Read this ebook on your PC, Mac, Apple iOS and Andriod mobile devices and eReader

This ebook is protected by Adobe Content Server digital rights management.

For more information on how to use .acsm files please click the Ebook Format Help link.

Institutional Access

Support Center

Secure Checkout

Personal information is secured with SSL technology.

Free Shipping

Free global shipping
No minimum order.

Description

Security Risk Management is the definitive guide for building or running an information security risk management program. This book teaches practical techniques that will be used on a daily basis, while also explaining the fundamentals so students understand the rationale behind these practices. It explains how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive text for managing security risks.

This book will help you to break free from the so-called best practices argument by articulating risk exposures in business terms. It includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment. It explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk. It also presents a roadmap for designing and implementing a security risk management program.

This book will be a valuable resource for CISOs, security managers, IT managers, security consultants, IT auditors, security analysts, and students enrolled in information security/assurance college programs.

Key Features

  • Named a 2011 Best Governance and ISMS Book by InfoSec Reviews
  • Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment
  • Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk
  • Presents a roadmap for designing and implementing a security risk management program

Readership

CISOs, Security Managers, IT Managers, Security Consultants, IT Auditors, Security Analysts, and Students in Information Security/Assurance college programs

Table of Contents

PREFACE

ACKNOWLEDGMENTS

ABOUT THE AUTHOR

ABOUT THE TECHNICAL EDITOR

PART I. Introduction to Risk Management

Chapter 1. The Security Evolution

Information in this Chapter

Introduction

How We Got Here

A Risk-Focused Future

Information Security Fundamentals

The Death of Information Security

Summary

Chapter 2. Risky Business

Information in this Chapter

Introduction

Applying Risk Management to Information Security

Business-Driven Security Program

Security as an Investment

Qualitative versus Quantitative

Summary

Chapter 3. The Risk Management Lifecycle

Information in this Chapter

Introduction

Stages of the Risk Management Lifecycle

Business Impact Assessment

A Vulnerability Assessment Is Not a Risk Assessment

Making Risk Decisions

Mitigation Planning and Long-Term Strategy

Process Ownership

Summary

PART II. Risk Assessment and Analysis Techniques

Chapter 4. Risk Profiling

Information in this Chapter

Introduction

How Risk Sensitivity Is Measured

Asking the Right Questions

Assessing Risk Appetite

Summary

Chapter 5. Formulating a Risk

Information in this Chapter

Introduction

Breaking Down a Risk

Who or What Is the Threat?

Summary

Chapter 6. Risk Exposure Factors

Information in this Chapter

Introduction

Qualitative Risk Measures

Risk Assessment

Summary

Chapter 7. Security Controls and Services

Information in this Chapter

Introduction

Fundamental Security Services

Recommended Controls

Summary

Chapter 8. Risk Evaluation and Mitigation Strategies

Information in this Chapter

Introduction

Risk Evaluation

Risk Mitigation Planning

Policy Exceptions and Risk Acceptance

Summary

Chapter 9. Reports and Consulting

Information in this Chapter

Introduction

Risk Management Artifacts

A Consultant’s Perspective

Writing Audit Responses

Summary

Chapter 10. Risk Assessment Techniques

Information in this Chapter

Introduction

Operational Assessments

Project-Based Assessments

Third-Party Assessments

Summary

PART III. Building and Running a Risk Management Program

Chapter 11. Threat and Vulnerability Management

Information in this Chapter

Introduction

Building Blocks

Threat Identification

Advisories and Testing

An Efficient Workflow

The FAIR Approach

Summary

Chapter 12. Security Risk Reviews

Information in this Chapter

Introduction

Assessing the State of Compliance

Implementing a Process

Process Optimization: A Review of Key Points

The NIST Approach

Summary

Chapter 13. A Blueprint for Security

Information in this Chapter

Introduction

Risk in the Development Lifecycle

Security Architecture

Patterns and Baselines

Architectural Risk Analysis

Summary

Chapter 14. Building a Program from Scratch

Information in this Chapter

Introduction

Designing a Risk Program

Prerequisites for a Risk Management Program

Risk at the Enterprise Level

Linking the Program Components

Program Roadmap

Summary

APPENDIX A. Sample Security Risk Profile

A. General Information

B. Information Sensitivity

C. Regulatory Requirements

D. Business Requirements

E. Definitions

APPENDIX B. Qualitative Risk Scale Reference Tables

APPENDIX C. Architectural Risk Analysis Reference Tables

Baseline Security Levels and Sample Controls

Security Enhancement Levels and Sample Controls

Mapping Security Levels

Index

Details

No. of pages:
360
Language:
English
Copyright:
© Syngress 2011
Published:
Imprint:
Syngress
eBook ISBN:
9781597496162
Paperback ISBN:
9781597496155

About the Author

Evan Wheeler

Evan Wheeler currently is a Director of Information Security for Omgeo (A DTCC | Thomson Reuters Company), an instructor at both Clark and Northeastern Universities, and the author of the Information Security Risk Management course for the SANS Institute. Previously he spent six years as a Security Consultant for the U.S. Department of Defense.

Affiliations and Expertise

currently is a Director of Information Security for Omgeo (A DTCC | Thomson Reuters Company), an instructor at both Clark and Northeastern Universities, and the author of the Information Security Risk Management course for the SANS Institute. Previously he spent six years as a Security Consultant for the U.S. Department of Defense.

Awards

Best Governance and ISMS Books 2011, InfoSec Reviews

Reviews

"Evan Wheeler has developed a much needed new approach to the field of security risk management. Readers familiar with this field of study will find that it does what he says he wants it to do: shake the old risk paradigms out of their roots and plant something fresh and useful today."--Dennis Treece, Colonel, US Army (Retired)/Chief Security Officer, Massachusetts Port Authority-Boston

"Wheeler’s book is predominantly a practitioner’s guide to security risk management but can also be used as a teaching text to help engineers, students of security, information assurance, or information systems more broadly. The key message that Wheeler is emphasizing is that risk is at the core of security, and at the heart of every business. Despite that the book lacks key referencing from academic literature, it can still be used as the basis for setting a large-scale team assignment on devising a risk management program from the ground up for a real organisation. Security professionals in banks will particularly find the book relevant."--Computers and Security

"This book is packed with practical
tips and the information contained throughout provides a good overview of the subject matter. The author explains the fundamentals of risk identification, assessment and management, exploring the differences between a vulnerability assessment and a risk assessment, and also providing rationales behind each of the subjects covered. This is not a technical book and the author generally avoids detailed technical analysis; rather it is an aide-memoir for Security Risk Management. …his book is recommended, in particular, for those beginning a career in Risk Management. It also provides a useful reference for current risk professionals who perhaps could benefit from a book that helps refine and further improve their current skillset."--Best Governance and ISMS Books in InfoSecReviews Book Awards

"

Ratings and Reviews

Request Quote

Tax Exemption

We cannot process tax exempt orders online. If you wish to place a tax exempt order please contact us.