Managing Risk in Information Systems, 3rd Edition

Table of contents

1. Cover
2. Title Page
3. Copyright Page
4. Brief Contents
5. Contents
6. Dedication
7. Preface
8. Acknowledgments
9. About the Authors
10. CHAPTER 1 Risk Management Fundamentals
    1. What Is Risk?
       1. Compromise of Business Functions
       2. Threats, Vulnerabilities, Assets, and Impact
    2. Classify Business Risks
       1. Risks Posed by People
       2. Risks Posed by a Lack of Process
       3. Risks Posed by Technology
    3. Risk Identification Techniques
       1. Identifying Threats
       2. Identifying Vulnerabilities
       3. Assessing Impact and Likelihood
    4. Risk Management Process
       1. Cost-Benefit Analysis
       2. Profitability Versus Survivability
    5. Risk-Handling Strategies
       1. Avoiding
       2. Sharing or Transferring
       3. Mitigating
       4. Accepting
       5. Residual Risk
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 1 ASSESSMENT
11. CHAPTER 2 Managing Risk: Threats, Vulnerabilities, and Exploits
    1. Understanding and Protecting Assets
    2. Understanding and Managing Threats
       1. Uncontrollable Nature of Threats
       2. Unintentional Threats
       3. Intentional Threats
       4. Best Practices for Managing Risk Within an IT Infrastructure
       5. EY Global Information Security Survey 2018–2019
    3. Understanding and Managing Vulnerabilities
       1. Threat/Vulnerability Pairs
       2. Vulnerabilities Can Be Mitigated
       3. Mitigation Techniques
       4. Best Practices for Managing Vulnerabilities Within an IT Infrastructure
    4. Understanding and Managing Exploits
       1. What Is an Exploit?
       2. How Do Perpetrators Initiate an Exploit?
       3. Where Do Perpetrators Find Information About Vulnerabilities and Exploits?
       4. Mitigation Techniques
       5. Best Practices for Managing Exploits Within an IT Infrastructure
    5. U.S. Federal Government Risk Management Initiatives
       1. National Institute of Standards and Technology
       2. Department of Homeland Security
       3. National Cybersecurity and Communications Integration Center
       4. U.S. Computer Emergency Readiness Team
       5. The MITRE Corporation and the CVE List
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 2 ASSESSMENT
12. CHAPTER 3 Understanding and Maintaining Compliance
    1. U.S. Compliance Laws
       1. Federal Information Security Modernization Act
       2. Health Insurance Portability and Accountability Act
       3. Gramm-Leach-Bliley Act
       4. Sarbanes-Oxley Act
       5. Family Educational Rights and Privacy Act
       6. Children’s Internet Protection Act
       7. Children’s Online Privacy Protection Act
    2. Regulations Related to Compliance
       1. Securities and Exchange Commission
       2. Federal Deposit Insurance Corporation
       3. Department of Homeland Security
       4. Federal Trade Commission
       5. State Attorney General
       6. U.S. Attorney General
    3. Organizational Policies for Compliance
    4. Standards and Guidelines for Compliance
       1. Payment Card Industry Data Security Standard
       2. National Institute of Standards and Technology
       3. Generally Accepted Information Security Principles
       4. Control Objectives for Information and Related Technology
       5. International Organization for Standardization
       6. International Electrotechnical Commission
       7. Information Technology Infrastructure Library
       8. Capability Maturity Model Integration
       9. General Data Protection Regulation
       10. Department of Defense Information Assurance Certification and Accreditation Process
    5. CHAPTER SUMMARY
    6. KEY CONCEPTS AND TERMS
    7. CHAPTER 3 ASSESSMENT
13. CHAPTER 4 Developing a Risk Management Plan
    1. Objectives of a Risk Management Plan
       1. Objectives Example: Website
       2. Objectives Example: HIPAA Compliance
    2. Scope of a Risk Management Plan
       1. Scope Example: Website
       2. Scope Example: HIPAA Compliance
    3. Assigning Responsibilities
       1. Responsibilities Example: Website
       2. Responsibilities Example: HIPAA Compliance
    4. Describing Procedures and Schedules for Accomplishment
       1. Procedures Example: Website
       2. Procedures Example: HIPAA Compliance
    5. Reporting Requirements
       1. Presenting Recommendations
       2. Documenting Management Response to Recommendations
       3. Documenting and Tracking Implementation of Accepted Recommendations
    6. Plan of Action and Milestones
    7. Charting the Progress of a Risk Management Plan
       1. Milestone Plan Chart
       2. Gantt Chart
       3. Critical Path Chart
    8. Steps of the NIST Risk Management Framework
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 4 ASSESSMENT
14. CHAPTER 5 Defining Risk Assessment Approaches
    1. Understanding Risk Assessments
       1. Importance of Risk Assessments
       2. Purpose of a Risk Assessment
    2. Critical Components of a Risk Assessment
       1. Identifying Scope
       2. Identifying Critical Areas
       3. Identifying Team Members
    3. Types of Risk Assessments
       1. Quantitative Risk Assessments
       2. Qualitative Risk Assessments
       3. Comparing Quantitative and Qualitative Risk Assessments
    4. Risk Assessment Challenges
       1. Using a Static Process to Evaluate a Moving Target
       2. Availability of Resources and Data
       3. Data Consistency
       4. Estimating Impact Effects
       5. Providing Results That Support Resource Allocation and Risk Acceptance
    5. Best Practices for Risk Assessment
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 5 ASSESSMENT
15. CHAPTER 6 Performing a Risk Assessment
    1. Selecting a Risk Assessment Methodology
       1. Defining the Assessment
       2. Reviewing Previous Findings
    2. Identifying the Management Structure
    3. Identifying Assets and Activities Within Risk Assessment Boundaries
       1. System Access and Availability
       2. System Functions
       3. Hardware and Software Assets
       4. Personnel Assets
       5. Data and Information Assets
       6. Facilities and Supplies
    4. Identifying and Evaluating Relevant Threats
       1. Reviewing Historical Data
       2. Performing Threat Modeling
    5. Identifying and Evaluating Relevant Vulnerabilities
       1. Vulnerability Assessments
       2. Exploit Assessments
    6. Identifying and Evaluating Controls
       1. In-Place and Planned Controls
       2. Control Categories
    7. Selecting a Methodology Based on Assessment Needs
       1. Quantitative Method
       2. Qualitative Method
    8. Developing Mitigating Recommendations
       1. Threat/Vulnerability Pairs
       2. Estimate of Cost and Time to Implement
       3. Estimate of Operational Impact
       4. Cost-Benefit Analysis
    9. Presenting Risk Assessment Results
    10. Best Practices for Performing Risk Assessments
    11. CHAPTER SUMMARY
    12. KEY CONCEPTS AND TERMS
    13. CHAPTER 6 ASSESSMENT
16. CHAPTER 7 Identifying Assets and Activities to Be Protected
    1. System Access and Availability
    2. System Functions: Manual and Automated
       1. Manual Methods
       2. Automated Methods
    3. Hardware Assets
    4. Software Assets
    5. Personnel Assets
    6. Data and Information Assets
       1. Organization
       2. Customer
       3. Intellectual Property
       4. Data Warehousing and Data Mining
    7. Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
       1. User Domain
       2. Workstation Domain
       3. LAN Domain
       4. LAN-to-WAN Domain
       5. WAN Domain
       6. Remote Access Domain
       7. System/Application Domain
    8. Identifying Facilities and Supplies Needed to Maintain Business Operations
       1. Mission-Critical Systems and Applications Identification
       2. Business Impact Analysis Planning
       3. Business Continuity Planning
       4. Disaster Recovery Planning
       5. Business Liability Insurance Planning
       6. Asset Replacement Insurance Planning
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 7 ASSESSMENT
17. CHAPTER 8 Identifying and Analyzing Threats, Vulnerabilities, and Exploits
    1. Threat Assessments
       1. Techniques for Identifying Threats
       2. Best Practices for Threat Assessments Within the Seven Domains of a Typical IT Infrastructure
    2. Vulnerability Assessments
       1. Review of Documentation
       2. Review of System Logs, Audit Trails, and Intrusion Detection and Prevention System Outputs
       3. Vulnerability Scans and Other Assessment Tools
       4. Audits and Personnel Interviews
       5. Process Analysis and Output Analysis
       6. System Testing
       7. Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure
    3. Exploit Assessments
       1. Identifying Exploits
       2. Mitigating Exploits with a Gap Analysis and Remediation Plan
       3. Implementing Configuration or Change Management
       4. Verifying and Validating the Exploit Has Been Mitigated
       5. Best Practices for Performing Exploit Assessments Within an IT Infrastructure
    4. CHAPTER SUMMARY
    5. KEY CONCEPTS AND TERMS
    6. CHAPTER 8 ASSESSMENT
18. CHAPTER 9 Identifying and Analyzing Risk Mitigation Security Controls
    1. In-Place Controls
    2. Planned Controls
       1. Control Categories
       2. NIST Control Families
    3. Procedural Control Examples
       1. Policies and Procedures
       2. Security Plans
       3. Insurance and Bonding
       4. Background and Financial Checks
       5. Data Loss Prevention Program
       6. Education, Training, and Awareness
       7. Rules of Behavior
       8. Software Testing
    4. Technical Control Examples
       1. Logon Identifier
       2. Session Time-Out
       3. System Logs and Audit Trails
       4. Data Range and Reasonableness Checks
       5. Firewalls and Routers
       6. Encryption
       7. Public Key Infrastructure
    5. Physical Control Examples
       1. Locked Doors, Guards, Access Logs, and Closed-Circuit Television
       2. Fire Detection and Suppression
       3. Water Detection
       4. Temperature and Humidity Detection
       5. Electrical Grounding and Circuit Breakers
    6. Best Practices for Risk Mitigation Security Controls
    7. CHAPTER SUMMARY
    8. KEY CONCEPTS AND TERMS
    9. CHAPTER 9 ASSESSMENT
19. CHAPTER 10 Planning Risk Mitigation Throughout an Organization
    1. Where Should an Organization Start with Risk Mitigation?
    2. What Is the Scope of Risk Management for an Organization?
       1. Critical Business Operations
       2. Customer Service Delivery
       3. Mission-Critical Business Systems, Applications, and Data Access
       4. Seven Domains of a Typical IT Infrastructure
       5. Information Systems Security Gap
    3. Understanding and Assessing the Impact of Legal and Compliance Issues on an Organization
       1. Legal Requirements, Compliance Laws, Regulations, and Mandates
       2. Assessing the Impact of Legal and Compliance Issues on an Organization’s Business Operations
    4. Translating Legal and Compliance Implications for an Organization
    5. Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure
    6. Assessing How Security Countermeasures, Controls, and Safeguards Can Assist With Risk Mitigation
    7. Understanding the Operational Implications of Legal and Compliance Requirements
    8. Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization
    9. Performing a Cost-Benefit Analysis
    10. Best Practices for Planning Risk Mitigation Throughout an Organization
    11. CHAPTER SUMMARY
    12. KEY CONCEPTS AND TERMS
    13. CHAPTER 10 ASSESSMENT
20. CHAPTER 11 Turning a Risk Assessment into a Risk Mitigation Plan
    1. Reviewing the Risk Assessment for the IT Infrastructure
       1. Overlapping Countermeasures
       2. Risk Assessments: Understanding Threats and Vulnerabilities
       3. Identifying Countermeasures
    2. Translating a Risk Assessment into a Risk Mitigation Plan
       1. Cost to Implement
       2. Time to Implement
       3. Operational Impact
    3. Prioritizing Risk Elements That Require Risk Mitigation
       1. Using a Threat Likelihood/Impact Matrix
       2. Prioritizing Countermeasures
    4. Verifying Risk Elements and How They Can Be Mitigated
    5. Performing a Cost-Benefit Analysis on the Identified Risk Elements
       1. Calculating the CBA
       2. A CBA Report
    6. Implementing a Risk Mitigation Plan
       1. Staying Within Budget
       2. Staying on Schedule
    7. Following Up on the Risk Mitigation Plan
       1. Ensuring Countermeasures Have Been Implemented
       2. Ensuring Security Gaps Have Been Closed
    8. Best Practices for Enabling a Risk Mitigation Plan from the Risk Assessment
    9. CHAPTER SUMMARY
    10. KEY CONCEPTS AND TERMS
    11. CHAPTER 11 ASSESSMENT
21. CHAPTER 12 Mitigating Risk with a Business Impact Analysis
    1. What Is a Business Impact Analysis?
       1. Collecting Data
       2. Varying Data Collection Methods
    2. Defining the Scope of the Business Impact Analysis
    3. Objectives of a Business Impact Analysis
       1. Identifying Critical Business Functions
       2. Identifying Critical Resources
       3. Identifying the MAO and Impact
       4. Identifying Recovery Requirements
    4. Steps of a Business Impact Analysis Process
       1. Identifying the Environment
       2. Identifying Stakeholders
       3. Identifying Critical Business Functions
       4. Identifying Critical Resources
       5. Identifying the MAO
       6. Identifying Recovery Priorities
       7. Developing the BIA Report
    5. Identifying Mission-Critical Business Functions and Processes
    6. Mapping Business Functions and Processes to IT Systems
    7. Best Practices for Performing a BIA for an Organization
    8. CHAPTER SUMMARY
    9. KEY CONCEPTS AND TERMS
    10. CHAPTER 12 ASSESSMENT
22. CHAPTER 13 Mitigating Risk with a Business Continuity Plan
    1. What Is a Business Continuity Plan?
    2. Elements of a BCP
       1. Purpose
       2. Scope
       3. Assumptions and Planning Principles
       4. System Description and Architecture
       5. Responsibilities
       6. Notification and Activation Phase
       7. Recovery Phase
       8. Reconstitution Phase (Return to Normal Operations)
       9. Plan Training, Testing, and Exercises
       10. Plan Maintenance
    3. How Does a BCP Mitigate an Organization’s Risk?
    4. Best Practices for Implementing a BCP for an Organization
    5. CHAPTER SUMMARY
    6. KEY CONCEPTS AND TERMS
    7. CHAPTER 13 ASSESSMENT
23. CHAPTER 14 Mitigating Risk with a Disaster Recovery Plan
    1. What Is a Disaster Recovery Plan?
       1. Need for a DRP
       2. Purpose of a DRP
    2. Critical Success Factors
       1. What Management Must Provide
       2. What DRP Developers Need
       3. Primary Concerns
       4. Disaster Recovery Financial Budget
    3. Elements of a DRP
       1. Purpose
       2. Scope
       3. Disaster/Emergency Declaration
       4. Communications
       5. Emergency Response
       6. Activities
       7. Recovery Procedures
       8. Critical Operations, Customer Service, and Operations Recovery
       9. Restoration and Normalization
       10. Testing
       11. Maintenance and DRP Update
    4. How Does a DRP Mitigate an Organization’s Risk?
    5. Best Practices for Implementing a DRP for an Organization
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 14 ASSESSMENT
24. CHAPTER 15 Mitigating Risk with a Computer Incident Response Team Plan
    1. What Is a Computer Incident Response Team Plan?
    2. Purpose of a CIRT Plan
    3. Elements of a CIRT Plan
       1. CIRT Members
       2. CIRT Policies
       3. Incident Handling Process
       4. Communication Escalation Procedures
       5. Incident Handling Procedures
    4. How Does a CIRT Plan Mitigate an Organization’s Risk?
    5. Best Practices for Implementing a CIRT Plan for an Organization
    6. CHAPTER SUMMARY
    7. KEY CONCEPTS AND TERMS
    8. CHAPTER 15 ASSESSMENT
25. APPENDIX A Answer Key
26. APPENDIX B Standard Acronyms
27. Glossary of Key Terms
28. References
29. Index