Security Risk Management

Security Risk Management

by Evan Wheeler
Released April 2011
Publisher(s): Syngress
ISBN: 9781597496162

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Security Risk Management is the definitive guide for building or running an information security risk management program. This book teaches practical techniques that will be used on a daily basis, while also explaining the fundamentals so students understand the rationale behind these practices. It explains how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive text for managing security risks.

This book will help you to break free from the so-called best practices argument by articulating risk exposures in business terms. It includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment. It explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk. It also presents a roadmap for designing and implementing a security risk management program.

This book will be a valuable resource for CISOs, security managers, IT managers, security consultants, IT auditors, security analysts, and students enrolled in information security/assurance college programs.

  • Named a 2011 Best Governance and ISMS Book by InfoSec Reviews
  • Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment
  • Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk
  • Presents a roadmap for designing and implementing a security risk management program

Table of contents

  1. Cover Image
  2. Content
  3. Title
  4. Front Matter
  5. Copyright
  6. Preface
  7. Acknowledgments
  8. About the Author
  9. About the Technical Editor
  10. PART I. Introduction to Risk Management
    1. Chapter 1. The Security Evolution
      1. Information in this Chapter
      2. Introduction
      3. How We Got Here
      4. A Risk-Focused Future
      5. Information Security Fundamentals
      6. The Death of Information Security
      7. Summary
    2. Chapter 2. Risky Business
      1. Information in this Chapter
      2. Introduction
      3. Applying Risk Management to Information Security
      4. Business-Driven Security Program
      5. Security as an Investment
      6. Qualitative versus Quantitative
      7. Summary
    3. Chapter 3. The Risk Management Lifecycle
      1. Information in this Chapter
      2. Introduction
      3. Stages of the Risk Management Lifecycle
      4. Business Impact Assessment
      5. A Vulnerability Assessment Is Not a Risk Assessment
      6. Making Risk Decisions
      7. Mitigation Planning and Long-Term Strategy
      8. Process Ownership
      9. Summary
  11. PART II. Risk Assessment and Analysis Techniques
    1. Chapter 4. Risk Profiling
      1. Information in this Chapter
      2. Introduction
      3. How Risk Sensitivity Is Measured
      4. Asking the Right Questions
      5. Assessing Risk Appetite
      6. Summary
    2. Chapter 5. Formulating a Risk
      1. Information in this Chapter
      2. Introduction
      3. Breaking Down a Risk
      4. Who or What Is the Threat?
      5. Summary
    3. Chapter 6. Risk Exposure Factors
      1. Information in this Chapter
      2. Introduction
      3. Qualitative Risk Measures
      4. Risk Assessment
      5. Summary
    4. Chapter 7. Security Controls and Services
      1. Information in this Chapter
      2. Introduction
      3. Fundamental Security Services
      4. Recommended Controls
      5. Summary
    5. Chapter 8. Risk Evaluation and Mitigation Strategies
      1. Information in this Chapter
      2. Introduction
      3. Risk Evaluation
      4. Risk Mitigation Planning
      5. Policy Exceptions and Risk Acceptance
      6. Summary
    6. Chapter 9. Reports and Consulting
      1. Information in this Chapter
      2. Introduction
      3. Risk Management Artifacts
      4. A Consultant’s Perspective
      5. Writing Audit Responses
      6. Summary
    7. Chapter 10. Risk Assessment Techniques
      1. Information in this Chapter
      2. Introduction
      3. Operational Assessments
      4. Project-Based Assessments
      5. Third-Party Assessments
      6. Summary
  12. PART III. Building and Running a Risk Management Program
    1. Chapter 11. Threat and Vulnerability Management
      1. Information in this Chapter
      2. Introduction
      3. Building Blocks
      4. Threat Identification
      5. Advisories and Testing
      6. An Efficient Workflow
      7. The FAIR Approach
      8. Summary
    2. Chapter 12. Security Risk Reviews
      1. Information in this Chapter
      2. Introduction
      3. Assessing the State of Compliance
      4. Implementing a Process
      5. Process Optimization: A Review of Key Points
      6. The NIST Approach
      7. Summary
    3. Chapter 13. A Blueprint for Security
      1. Information in this Chapter
      2. Introduction
      3. Risk in the Development Lifecycle
      4. Security Architecture
      5. Patterns and Baselines
      6. Architectural Risk Analysis
      7. Summary
    4. Chapter 14. Building a Program from Scratch
      1. Information in this Chapter
      2. Introduction
      3. Designing a Risk Program
      4. Prerequisites for a Risk Management Program
      5. Risk at the Enterprise Level
      6. Linking the Program Components
      7. Program Roadmap
      8. Summary
  13. APPENDIX A. Sample Security Risk Profile
    1. A. General Information
    2. B. Information Sensitivity
    3. C. Regulatory Requirements
    4. D. Business Requirements
    5. E. Definitions
  14. APPENDIX B. Qualitative Risk Scale Reference Tables
  15. APPENDIX C. Architectural Risk Analysis Reference Tables
    1. Baseline Security Levels and Sample Controls
    2. Security Enhancement Levels and Sample Controls
    3. Mapping Security Levels
  16. Index

Product information

  • Title: Security Risk Management
  • Author(s): Evan Wheeler
  • Release date: April 2011
  • Publisher(s): Syngress
  • ISBN: 9781597496162