Information security risk assessment toolkit [electronic resource] : practical assessments through data collection and data analysis / Mark Ryan M. Talabis, Jason L. Martin
- Machine generated contents note: ch. 1 Information Security Risk Assessments -- Introduction -- What is Risk? -- Going Deeper with Risk -- Components of Risk -- Putting it All Together -- Information Security Risk -- What is an Information Security Risk Assessment? -- Why Assess Information Security Risk? -- Risk Assessments and the Security Program -- Information Risk Assessments Activities in a Nutshell -- Drivers, Laws, and Regulations -- Federal Information Security Management Act of 2002 (FISMA) -- Gramm-Leach-Bliley Act (GLBA) -- Health Insurance Portability and Accountability Act (HIPAA) -- State Governments -- ISO 27001 -- Summary -- What is Risk? -- What is an Information Security Risk Assessment? -- Drivers, Laws, and Regulations -- References -- ch. 2 Information Security Risk Assessment: A Practical Approach -- Introduction -- A Primer on Information Security Risk Assessment Frameworks -- Do I Use an Existing Framework or Should I Use My Own? -- Octave -- Fair -- NIST SP800-30 -- ISO 27005 -- A Comparison of the Major Activities for the Four Frameworks -- A Comparison of the Major Activities for the Four Frameworks Based on Activities -- Our Risk Assessment Approach -- Summary -- ch. 3 Information Security Risk Assessment: Data Collection -- Introduction -- The Sponsor -- The Project Team -- The Size and Breadth of the Risk Assessment -- Scheduling and Deadlines -- Assessor and Organization Experience -- Workload -- Data Collection Mechanisms -- Collectors -- Containers -- Executive Interviews -- Document Requests -- IT Asset Inventories -- Asset Scoping -- Interviews -- Asset Scoping Workshops -- Business Impact Analysis and Other Assessments -- Critical Success Factor Analysis -- The Asset Profile Survey -- Who Do You Ask for information? -- How Do You Ask for the Information? -- What Do You Ask for? -- The Control Survey -- Who Do You Ask for Information? -- How Do You Ask for Information? -- What Do You Ask for? -- Organizational vs. System Specific -- Scale vs. Yes or No -- Inquiry vs. Testing -- Survey Support Activities and Wrap-Up -- Before and During the Survey -- Review of Survey Responses -- Post-Survey Verifications -- Consolidation -- ch. 4 Information Security Risk Assessment: Data Analysis -- Introduction -- Compiling Observations from Organizational Risk Documents -- Preparation of Threat and Vulnerability Catalogs -- Threat Catalog -- Vulnerability Catalog -- Threat Vulnerability Pairs -- Overview of the System Risk Computation -- Designing the Impact Analysis Scheme -- Confidentiality -- Integrity -- Availability -- Preparing the Impact Score -- Practical Tips -- Designing the Control Analysis Scheme -- Practical Tips -- Designing the Likelihood Analysis Scheme -- Exposure -- Frequency -- Controls -- Likelihood -- Putting it Together and the Final Risk Score -- ch. 5 Information Security Risk Assessment: Risk Assessment -- Introduction -- System Risk Analysis -- Risk Classification -- Risk Rankings -- Individual System Risk Reviews -- Threat and Vulnerability Review -- Review Activities for Organizational Risk -- Review of Security Threats and Trends -- Review of Audit Findings -- Review of Security Incidents -- Review of Security Exceptions -- Review of Security Metrics -- Risk Prioritization and Risk Treatment -- ch. 6 Information Security Risk Assessment: Risk Prioritization and Treatment -- Introduction -- Organizational Risk Prioritization and Treatment -- Review of Security Threats and Trends -- Review of Audit Findings -- Review of Security Incidents -- Review of Security Exceptions -- Review of Security Metrics -- System Specific Risk Prioritization and Treatment -- Issues Register -- ch. 7 Information Security Risk Assessment: Reporting -- Introduction -- Outline -- Risk Analysis Executive Summary -- Methodology -- Organizational -- System Specific -- Results -- Organizational Analysis -- System Specific -- Risk Register -- Conclusion -- Appendices -- ch. 8 Information Security Risk Assessment: Maintenance and Wrap Up -- Introduction -- Process Summary -- Data Collection -- Data Analysis -- Risk Analysis -- Reporting -- Key Deliverables -- Post Mortem -- Scoping -- Executive Interviews -- System Owners and Stewards -- Document Requests -- System Profile and Control Survey -- Analysis -- Reporting -- General Process.
- In order to protect company's information assets such as sensitive customer records, health care records, etc., the security practitioner first needs to find out: what needs protected, what risks those assets are exposed to, what controls are in place to offset those risks, and where to focus attention for risk treatment. This is the true value and purpose of information security risk assessments. Effective risk assessments are meant to provide a defendable analysis of residual risk associated with your key assets so that risk treatment options can be explored. Information Security Risk Assessments gives you the tools and skills to get a quick, reliable, and thorough risk assessment for key stakeholders. Based on authors' experiences of real-world assessments, reports, and presentations Focuses on implementing a process, rather than theory, that allows you to derive a quick and valuable assessment. Includes a companion web site with spreadsheets you can utilize to create and maintain the risk assessment.
- 9781597497350 (electronic bk.) and 1597497355 (electronic bk.)
- Includes index. and AVAILABLE ONLINE TO AUTHORIZED PSU USERS.
View MARC record | catkey: 9181418