The Security Risk Assessment Handbook, 3rd Edition

The Security Risk Assessment Handbook, 3rd Edition

by Douglas Landoll
Released September 2021
Publisher(s): CRC Press
ISBN: 9781000413250

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

The third edition has expended coverage essential topics such as threat analysis, data gathering, risk analysis, and risk assessment methods and added coverage of new topics essential for current assessment projects (e.g., cloud security, supply chain management, security risk assessment methods).

Table of contents

  1. Cover
  2. Half Title
  3. Title Page
  4. Copyright Page
  5. Dedication
  6. Contents
  7. List of Tables
  8. List of Figures
  9. Author
  10. 1 Introduction
    1. 1.1 The Role of the Chief Information Security Officer
      1. 1.1.1 Audit as a Driver for Security Initiatives
      2. 1.1.2 Technology as a Driver for Security Initiatives
      3. 1.1.3 Compliance as a Driver for Security Initiatives
      4. 1.1.4 Security Risk as a Driver for Security Initiatives
    2. 1.2 Ensuring a Quality Information Security Risk Assessment
    3. 1.3 Security Risk Assessment
      1. 1.3.1 The Role of the Security Risk Assessment
      2. 1.3.2 Definition of a Security Risk Assessment
      3. 1.3.3 The Need for a Security Risk Assessment
        1. 1.3.3.1 Checks and Balances
        2. 1.3.3.2 Periodic Review
        3. 1.3.3.3 Risk-Based Spending
        4. 1.3.3.4 Requirement
      4. 1.3.4 Security Risk Assessment Secondary Benefits
    4. 1.4 Related Activities
      1. 1.4.1 Gap Assessment
      2. 1.4.2 Compliance Audit
      3. 1.4.3 Security Audit
      4. 1.4.4 Vulnerability Scanning
      5. 1.4.5 Penetration Testing
      6. 1.4.6 Ad Hoc Testing
      7. 1.4.7 Social Engineering
      8. 1.4.8 War Dialing
    5. 1.5 The Need for This Book
    6. 1.6 Who Is This Book For?
    7. Exercises
    8. Note
    9. Bibliography
  11. 2 Information Security Risk Assessment Basics
    1. 2.1 Phase 1: Project Definition
    2. 2.2 Phase 2: Project Preparation
    3. 2.3 Phase 3: Data Gathering
    4. 2.4 Phase 4: Risk Analysis
      1. 2.4.1 Assets
      2. 2.4.2 Threat Agents and Threat Actions
        1. 2.4.2.1 Threat Agents
        2. 2.4.2.2 Threat Actions
      3. 2.4.3 Vulnerabilities
      4. 2.4.4 Security Risk
    5. 2.5 Phase 5: Risk Mitigation
      1. 2.5.1 Safeguards
      2. 2.5.2 Residual Security Risk
    6. 2.6 Phase 6: Risk Reporting and Resolution
      1. 2.6.1 Risk Resolution
    7. Exercises
    8. Notes
    9. Bibliography
  12. 3 Project Definition
    1. 3.1 Ensuring Project Success
      1. 3.1.1 Success Definition
        1. 3.1.1.1 Customer Satisfaction
        2. 3.1.1.2 Identifying the Customer
        3. 3.1.1.3 Quality of Work
          1. 3.1.1.3.1 Quality Aspects
        4. 3.1.1.4 Completion within Budget
      2. 3.1.2 Setting the Budget
      3. 3.1.3 Determining the Objective
      4. 3.1.4 Limiting the Scope
        1. 3.1.4.1 Under-scoping
        2. 3.1.4.2 Over-scoping
        3. 3.1.4.3 Security Controls
          1. 3.1.4.3.1 Administrative Security Controls
          2. 3.1.4.3.2 Physical Security Controls
          3. 3.1.4.3.3 Technical Security Controls
        4. 3.1.4.4 Assets
          1. 3.1.4.4.1 Tangible Assets
          2. 3.1.4.4.2 Intangible Assets
        5. 3.1.4.5 Reasonableness in Limiting the Scope
      5. 3.1.5 Identifying System Boundaries
        1. 3.1.5.1 Physical Boundary
        2. 3.1.5.2 Logical Boundaries
      6. 3.1.6 Specifying the Rigor
      7. 3.1.7 Sample Scope Statements
    2. 3.2 Project Description
      1. 3.2.1 Project Variables
      2. 3.2.2 Statement of Work (SOW)
        1. 3.2.2.1 Specifying the Service Description
        2. 3.2.2.2 Scope of Security Controls
        3. 3.2.2.3 Specifying Deliverables
        4. 3.2.2.4 Contract Type
          1. 3.2.2.4.1 Time and Materials Contract
          2. 3.2.2.4.2 Firm-Fixed-Price Contract
        5. 3.2.2.5 Contract Terms
          1. 3.2.2.5.1 Determining Needs
          2. 3.2.2.5.2 Determining Next-Best Alternative
          3. 3.2.2.5.3 Negotiating Project Membership
    3. Exercises
    4. Bibliography
  13. 4 Security Risk Assessment Preparation
    1. 4.1 Introduce the Team
      1. 4.1.1 Introductory Letter
      2. 4.1.2 Project Kickoff Call
      3. 4.1.3 Pre-Assessment Briefing
      4. 4.1.4 Obtain Proper Permission
        1. 4.1.4.1 Policies Required
        2. 4.1.4.2 Permission Required
        3. 4.1.4.3 Scope of Permission
        4. 4.1.4.4 Accounts Required
    2. 4.2 Review Business Mission
      1. 4.2.1 What Is a Business Mission?
      2. 4.2.2 Obtaining Business Mission Information
    3. 4.3 Identify Critical Systems
      1. 4.3.1 Determining Criticality
        1. 4.3.1.1 Determine Protection Requirements
        2. 4.3.1.2 Determine Mission Criticality
        3. 4.3.1.3 Define Critical Systems
    4. 4.4 Identify Asset Classes
      1. 4.4.1 Checklists and Judgment
      2. 4.4.2 Asset Sensitivity/Criticality Classification
        1. 4.4.2.1 Approach 1: Find Asset Classification Information Elsewhere
        2. 4.4.2.2 Approach 2: Create Asset Classification Information
        3. 4.4.2.3 Approach 3: Determine Asset Criticality
      3. 4.4.3 Asset Valuation
        1. 4.4.3.1 Approach 1: Binary Asset Valuation
        2. 4.4.3.2 Approach 2: Classification-Based Asset Valuation
        3. 4.4.3.3 Approach 3: Rank-Based Asset Valuation
        4. 4.4.3.4 Approach 4: Consensus Asset Valuation
        5. 4.4.3.5 Approaches 5–7: Accounting Valuation Approaches
          1. 4.4.3.5.1 Approach 5: Cost Valuation
          2. 4.4.3.5.2 Approach 6: Market Valuation
          3. 4.4.3.5.3 Approach 7: Income Valuation
    5. 4.5 Identifying Threats
      1. 4.5.1 Threat Components
        1. 4.5.1.1 Threat Agent
        2. 4.5.1.2 Threat Action
        3. 4.5.1.3 Threat Agent and Threat Action Pairing
      2. 4.5.2 Threat Statements
      3. 4.5.3 Validating Threat Statements
        1. 4.5.3.1 Factors Affecting Threat Statement Validity
    6. 4.6 Determine Expected Controls
    7. Exercises
    8. Note
    9. Bibliography
  14. 5 Data Gathering
    1. 5.1 Security Control Representation
      1. 5.1.1 Data Gathering on the Population
      2. 5.1.2 Data Gathering on a Sample
        1. 5.1.2.1 Determining Sample Size
        2. 5.1.2.2 Sampling Objectives
        3. 5.1.2.3 Sampling Types
      3. 5.1.3 Use of Sampling in Security Testing
        1. 5.1.3.1 Approach 1: Representative Testing
        2. 5.1.3.2 Approach 2: Selected Sampling
        3. 5.1.3.3 Approach 3: Random Sampling
    2. 5.2 Evidence Depth
    3. 5.3 The RIIOT Method of Data Gathering
      1. 5.3.1 RIIOT Method Benefits
      2. 5.3.2 RIIOT Method Approaches
        1. 5.3.2.1 Review Documents or Designs
          1. 5.3.2.1.1 The Importance of Security Documents
          2. 5.3.2.1.2 Documents to Request
          3. 5.3.2.1.3 Policy Review within Regulated Industries
          4. 5.3.2.1.4 RIIOT Document Review Technique
        2. 5.3.2.2 Interview Key Personnel
          1. 5.3.2.2.1 Selecting the Interviewer
          2. 5.3.2.2.2 Interview Requests
          3. 5.3.2.2.3 Preparing for the Interview
          4. 5.3.2.2.4 Conducting the Interview
          5. 5.3.2.2.5 Documenting the Interview
          6. 5.3.2.2.6 Flexibility in the Process
          7. 5.3.2.2.7 Questionnaire Preparation
        3. 5.3.2.3 Inspect Security Controls
        4. 5.3.2.4 Observe Personnel Behavior
          1. 5.3.2.4.1 Observation Guidance
        5. 5.3.2.5 Test Security Controls
          1. 5.3.2.5.1 Security Testing Documentation
          2. 5.3.2.5.2 Coverage of Testing
          3. 5.3.2.5.3 Types of Security Testing
            1. 5.3.2.5.3.1 Information Accuracy Testing
            2. 5.3.2.5.3.2 Vulnerability Testing
            3. 5.3.2.5.3.3 Penetration Testing
      3. 5.3.3 Using the RIIOT Method
        1. 5.3.3.1 Determining Appropriate RIIOT Approaches
        2. 5.3.3.2 Assigning RIIOT Activities
        3. 5.3.3.3 RIIOT Applied to Administrative, Physical, and Technical Controls
    4. Exercises
    5. Bibliography
  15. 6 Administrative Data Gathering
    1. 6.1 Administrative Threats and Safeguards
      1. 6.1.1 Human Resources
        1. 6.1.1.1 Human Resource Threats
        2. 6.1.1.2 Human Resource Safeguards
          1. 6.1.1.2.1 Recruitment
          2. 6.1.1.2.2 Employment
          3. 6.1.1.2.3 Termination
      2. 6.1.2 Organizational Structure
        1. 6.1.2.1 Organizational Structure Threats
        2. 6.1.2.2 Organizational Structure Safeguards
          1. 6.1.2.2.1 Senior Management
          2. 6.1.2.2.2 Security Program
          3. 6.1.2.2.3 Security Operations
          4. 6.1.2.2.4 Audit
      3. 6.1.3 Information Control
        1. 6.1.3.1 Information Control Threats
        2. 6.1.3.2 Information Control Safeguards
          1. 6.1.3.2.1 Sensitive Information
          2. 6.1.3.2.2 User Accounts
          3. 6.1.3.2.3 User Error
          4. 6.1.3.2.4 Asset Control
      4. 6.1.4 Business Continuity
        1. 6.1.4.1 Business Continuity Threats
        2. 6.1.4.2 Business Continuity Safeguards
          1. 6.1.4.2.1 Contingency Planning
          2. 6.1.4.2.2 Incident Response Program
      5. 6.1.5 System Security
        1. 6.1.5.1 System Security Threats
        2. 6.1.5.2 Organizational Structure Safeguards
          1. 6.1.5.2.1 System Controls
          2. 6.1.5.2.2 Application Security
          3. 6.1.5.2.3 Configuration Management
          4. 6.1.5.2.4 Third-Party Access
    2. 6.2 The RIIOT Method: Administrative Data Gathering
      1. 6.2.1 Determining Appropriate RIIOT Approaches for Administrative Controls
      2. 6.2.2 Review Documents Regarding Administrative Controls
        1. 6.2.2.1 Documents to Review
        2. 6.2.2.2 Review Documents for Clarity, Consistency, and Completeness
        3. 6.2.2.3 Review Documents for Expected Elements
          1. 6.2.2.3.1 Reviewing Information Security Policies
            1. 6.2.2.3.1.1 Senior Management Statement
            2. 6.2.2.3.1.2 Acceptable-Use Policy
            3. 6.2.2.3.1.3 Access Control Policy
            4. 6.2.2.3.1.4 Authentication and Account Management Policy
            5. 6.2.2.3.1.5 Backup and Restoration Policy
            6. 6.2.2.3.1.6 Cryptographic Control Policy
            7. 6.2.2.3.1.7 Data Classification, Handling and Retention Policy
            8. 6.2.2.3.1.8 Media Protection Policy
            9. 6.2.2.3.1.9 Mobile Device Policy
            10. 6.2.2.3.1.10 Physical Security/Environmental Controls Policy
            11. 6.2.2.3.1.11 Privacy Program Policy
            12. 6.2.2.3.1.12 Privacy—Web Privacy Notice
            13. 6.2.2.3.1.13 Systems and Communications Security Policy
        4. 6.2.2.4 Reviewing Information Security Plans, Processes, and Procedures
          1. 6.2.2.4.1.1 Business Contingency Plan
          2. 6.2.2.4.1.2 Change Control Procedures
          3. 6.2.2.4.1.3 Disaster Recovery Plan
          4. 6.2.2.4.1.4 Incident Response Plan
          5. 6.2.2.4.1.5 Information Security Program Procedures
          6. 6.2.2.4.1.6 Other Operational Procedures
          7. 6.2.2.4.1.7 Security Awareness and Training Program
          8. 6.2.2.4.1.8 Software Development Life Cycle Process
          9. 6.2.2.4.1.9 Termination Procedures
          10. 6.2.2.4.1.10 Vendor Security Risk Management Program
        5. 6.2.2.5 Security Work Product Review
      3. 6.2.3 Interview Personnel Regarding Administrative Controls
        1. 6.2.3.1 Administrative Interview Planning
        2. 6.2.3.2 Administrative Interview Topics
        3. 6.2.3.3 Administrative Interview Subjects
        4. 6.2.3.4 Administrative Interview Questions
          1. 6.2.3.4.1 Incident Response Interview Questions
          2. 6.2.3.4.2 Security Operations Interview Questions
          3. 6.2.3.4.3 Security Program Interview Questions
      4. 6.2.4 Inspect Administrative Security Controls
        1. 6.2.4.1 Inspection—Listing Administrative Security Controls
        2. 6.2.4.2 Inspection—Verify Information Gathered
        3. 6.2.4.3 Inspection—Determine Vulnerabilities
        4. 6.2.4.4 Inspection—Document and Review Findings
        5. 6.2.4.5 Inspection—The Security Organization
          1. 6.2.4.5.1 Organizational Structure
          2. 6.2.4.5.2 Budget and Resources
          3. 6.2.4.5.3 Roles and Responsibilities
      5. 6.2.5 Observe Administrative Behavior
      6. 6.2.6 Test Administrative Security Controls
        1. 6.2.6.1 Information Labeling Testing
        2. 6.2.6.2 Media Destruction Testing
          1. 6.2.6.2.1 Approach 1: TRASHINT
          2. 6.2.6.2.2 Approach 2: Sanitization Test
        3. 6.2.6.3 Account and Access Control Procedures Testing
          1. 6.2.6.3.1 Approach 1: Process Test
          2. 6.2.6.3.2 Approach 2: Process Audit—Sample
          3. 6.2.6.3.3 Approach 3: Process Audit—Complete
        4. 6.2.6.4 Outsourcing and Information Exchange
          1. 6.2.6.4.1 Outsourcing Review
            1. 6.2.6.4.1.1 Approach 1: Review Contracts
            2. 6.2.6.4.1.2 Approach 2: Review Available Assessments
            3. 6.2.6.4.1.3 Approach 3: Review Questionnaire Responses
    3. Exercises
    4. Bibliography
  16. 7 Technical Data Gathering
    1. 7.1 Technical Threats and Safeguards
      1. 7.1.1 Information Control
        1. 7.1.1.1 Information Control Threats
        2. 7.1.1.2 Information Control Safeguards
          1. 7.1.1.2.1 User Error
          2. 7.1.1.2.2 Sensitive and Critical Information
          3. 7.1.1.2.3 User Accounts
      2. 7.1.2 Business Continuity
        1. 7.1.2.1 Business Continuity Threats
        2. 7.1.2.2 Business Continuity Safeguards
          1. 7.1.2.2.1 Contingency Planning
          2. 7.1.2.2.2 Incident Response Program
      3. 7.1.3 System Security
        1. 7.1.3.1 System Security Threats
        2. 7.1.3.2 System Security Safeguards
          1. 7.1.3.2.1 System Controls
          2. 7.1.3.2.2 Application Security
          3. 7.1.3.2.3 Change Management
      4. 7.1.4 Secure Architecture
        1. 7.1.4.1 Secure Architecture Threats
        2. 7.1.4.2 Secure Architecture Safeguards
          1. 7.1.4.2.1 Topology
          2. 7.1.4.2.2 Transmission
          3. 7.1.4.2.3 Perimeter Network
      5. 7.1.5 Security Components
        1. 7.1.5.1 Security Component Threats
        2. 7.1.5.2 Security Component Safeguards
          1. 7.1.5.2.1 Access Control
          2. 7.1.5.2.2 Continuous Monitoring
      6. 7.1.6 Secure Configuration
        1. 7.1.6.1 Secure Configuration Threats
        2. 7.1.6.2 Secure Configuration Safeguards
          1. 7.1.6.2.1 System Settings
      7. 7.1.7 Data Security
        1. 7.1.7.1 Data Security Threats
        2. 7.1.7.2 Data Security Safeguards
          1. 7.1.7.2.1 Storage
          2. 7.1.7.2.2 Transit
    2. 7.2 The RIIOT Method: Technical Data Gathering
      1. 7.2.1 Determining Appropriate RIIOT Approaches for Technical Controls
      2. 7.2.2 Review Documents Regarding Technical Controls
        1. 7.2.2.1 Technical Documents to Request
        2. 7.2.2.2 Review Technical Documents for Information
        3. 7.2.2.3 Review Documents for Clarity, Consistency, and Completeness
        4. 7.2.2.4 Review Documents for Expected Elements
        5. 7.2.2.5 Reviewing System Information Documents
          1. 7.2.2.5.1 Network Diagram
        6. 7.2.2.6 Reviewing Previous Security Assessment Documents
          1. 7.2.2.6.1 Vulnerability Scan Report
          2. 7.2.2.6.2 Penetration Test Report
          3. 7.2.2.6.3 Security Risk Assessment Report
          4. 7.2.2.6.4 Information Technology/Security Audit Report
        7. 7.2.2.7 Reviewing Technical Manuals
        8. 7.2.2.8 Review Technical Security Designs
          1. 7.2.2.8.1 Determine Security Requirements
        9. 7.2.2.9 Basic Security Design Principles
          1. 7.2.2.9.1 Common Areas for Investigation
      3. 7.2.3 Interview Personnel Regarding Technical Controls
        1. 7.2.3.1 Technical Interview Topics
        2. 7.2.3.2 Technical Interview Subjects
        3. 7.2.3.3 Technical Interview Questions
          1. 7.2.3.3.1 Security Testing and Review Interview Questions
          2. 7.2.3.3.2 Security Components Interview Questions
          3. 7.2.3.3.3 Security Operations and Procedures Interview Questions
      4. 7.2.4 Inspect Technical Security Controls
        1. 7.2.4.1 List Technical Security Controls
        2. 7.2.4.2 Verify Information Gathered
          1. 7.2.4.2.1 Audit Logs
          2. 7.2.4.2.2 Identity Management System
          3. 7.2.4.2.3 Data Backup Technologies
          4. 7.2.4.2.4 Vulnerability Scanning Tools
          5. 7.2.4.2.5 Penetration Testing Tools
          6. 7.2.4.2.6 Patch Management System
          7. 7.2.4.2.7 Web and E-mail Filtering Tools
          8. 7.2.4.2.8 Configuration Management
          9. 7.2.4.2.9 Firewalls
          10. 7.2.4.2.10 Intrusion Detection Systems
          11. 7.2.4.2.11 System Hardening Guidance
          12. 7.2.4.2.12 Operating Systems and Applications
            1. 7.2.4.2.12.1 Sources of Checklists
            2. 7.2.4.2.12.2 Use of Checklists
        3. 7.2.4.3 Determine Vulnerabilities
        4. 7.2.4.4 Document and Review Findings
      5. 7.2.5 Observe Technical Personnel Behavior
      6. 7.2.6 Test Technical Security Controls
        1. 7.2.6.1 Monitoring Technology
        2. 7.2.6.2 Audit Logs
        3. 7.2.6.3 Anti-Virus Systems
        4. 7.2.6.4 Automated Password Policies
        5. 7.2.6.5 Virtual Private Network
        6. 7.2.6.6 Firewalls, IDS, and System Hardening
        7. 7.2.6.7 Vulnerability Scanning
          1. 7.2.6.7.1 Stages of Vulnerability Scanning
          2. 7.2.6.7.2 Vulnerability Scanning Tools
            1. 7.2.6.7.2.1 Network Mapping
            2. 7.2.6.7.2.2 Vulnerability Scanners
            3. 7.2.6.7.2.3 Virus and Pest Scanning
            4. 7.2.6.7.2.4 Application Scanners
        8. 7.2.6.8 Penetration Testing
        9. 7.2.6.9 Testing Specific Technology
          1. 7.2.6.9.1 Modem Access Testing
          2. 7.2.6.9.2 Wireless Network Testing
          3. 7.2.6.9.3 PBX Testing
          4. 7.2.6.9.4 VOIP Testing
    3. Exercises
    4. Notes
    5. Bibliography
  17. 8 Physical Data Gathering
    1. 8.1 Physical Threats and Safeguards
      1. 8.1.1 Utilities and Interior Climate
        1. 8.1.1.1 Utility and Interior Climate Threats
        2. 8.1.1.2 Utility and Interior Climate Safeguards
          1. 8.1.1.2.1 Power Utility
            1. 8.1.1.2.1.1 Power Safeguards
          2. 8.1.1.2.2 Cooling Interior Climate
            1. 8.1.1.2.2.1 Cooling Safeguards
          3. 8.1.1.2.3 Humidity
            1. 8.1.1.2.3.1 Humidity Safeguards
      2. 8.1.2 Fire
        1. 8.1.2.1 Fire Threats
        2. 8.1.2.2 Fire Safeguards
          1. 8.1.2.2.1 Fire Prevention
            1. 8.1.2.2.1.1 Fire Prevention Safeguards
          2. 8.1.2.2.2 Fire Detection
            1. 8.1.2.2.2.1 Fire Detection Safeguards
          3. 8.1.2.2.3 Fire Alarm
            1. 8.1.2.2.3.1 Fire Alarm Safeguards
              1. 8.1.2.2.3.1.1 Fire Alarm Installation Types
          4. 8.1.2.2.4 Fire Suppression
        3. 8.1.2.3 Fire Suppression Safeguards
          1. 8.1.2.3.1 Stationary Suppression Systems
      3. 8.1.3 Flood and Water Damage
        1. 8.1.3.1 Flood and Water Threats
        2. 8.1.3.2 Flood and Water Safeguards
          1. 8.1.3.2.1 Flood and Water Exposure
            1. 8.1.3.2.1.1 Flood and Water Exposure Safeguards
          2. 8.1.3.2.2 Flood and Water Monitoring
            1. 8.1.3.2.2.1 Flood and Water Exposure Safeguards
          3. 8.1.3.2.3 Flood and Water Response
            1. 8.1.3.2.3.1 Flood and Water Response Safeguards
      4. 8.1.4 Other Natural Disasters
        1. 8.1.4.1 Other Natural Disaster Threats
        2. 8.1.4.2 Other Natural Disaster Safeguards
          1. 8.1.4.2.1 General Natural Disasters
            1. 8.1.4.2.1.1 Natural Disasters—General Protection Safeguards
          2. 8.1.4.2.2 Lightning
            1. 8.1.4.2.2.1 Lightning Safeguards
          3. 8.1.4.2.3 Earthquake
            1. 8.1.4.2.3.1 Earthquake Safeguards
          4. 8.1.4.2.4 Volcano
            1. 8.1.4.2.4.1 Volcano Safeguards
          5. 8.1.4.2.5 Hurricane
            1. 8.1.4.2.5.1 Hurricane Safeguards
      5. 8.1.5 Workforce
        1. 8.1.5.1 Workforce Threats
        2. 8.1.5.2 Workforce Safeguards
          1. 8.1.5.2.1 Personnel Screening
          2. 8.1.5.2.2 Personnel Termination
      6. 8.1.6 Perimeter Protections
        1. 8.1.6.1 Perimeter Protection Threats
        2. 8.1.6.2 Perimeter Protection Safeguards
          1. 8.1.6.2.1 Barriers
          2. 8.1.6.2.2 Lighting
          3. 8.1.6.2.3 Physical Intrusion Detection
            1. 8.1.6.2.3.1 Exterior Sensors
            2. 8.1.6.2.3.2 Interior Sensors
            3. 8.1.6.2.3.3 Video Surveillance Systems
              1. 8.1.6.2.3.3.1 Video Surveillance System Capabilities
          4. 8.1.6.2.4 Physical Access Control
            1. 8.1.6.2.4.1 Badges
            2. 8.1.6.2.4.2 Card Readers
            3. 8.1.6.2.4.3 Biometrics
            4. 8.1.6.2.4.4 Visitor Control
            5. 8.1.6.2.4.5 Property Removal Prevention
    2. 8.2 The RIIOT Method: Physical Data Gathering
      1. 8.2.1 Determining Appropriate RIIOT Approaches for Physical Controls
      2. 8.2.2 Review Documents Regarding Physical Controls
        1. 8.2.2.1 Physical Documents to Request
        2. 8.2.2.2 Review Physical Documents for Information
        3. 8.2.2.3 Review Documents for Currency and Capability
        4. 8.2.2.4 Review Documents for Expected Elements
        5. 8.2.2.5 Reviewing Physical Safeguard Information Documents
        6. 8.2.2.6 Reviewing Previous Physical Assessment Documents
        7. 8.2.2.7 Reviewing Building and Site Architecture Documents
        8. 8.2.2.8 Reviewing Procedures and Procedure Work Products
      3. 8.2.3 Interview Physical Personnel
        1. 8.2.3.1 Physical Security Interview Topics
        2. 8.2.3.2 Physical Security Interview Subjects
        3. 8.2.3.3 Physical Security Interview Questions
          1. 8.2.3.3.1 Utilities Interview Questions
          2. 8.2.3.3.2 Physical Security Procedures Interview Questions
      4. 8.2.4 Inspect Physical Security Controls
        1. 8.2.4.1 Listing Physical Security Controls
        2. 8.2.4.2 Verify Information Gathered
          1. 8.2.4.2.1 Logs, Records, and Audit Files
          2. 8.2.4.2.2 Perimeter Security
        3. 8.2.4.3 Determine Physical Vulnerabilities
        4. 8.2.4.4 Document and Review Physical Findings
      5. 8.2.5 Observe Physical Personnel Behavior
      6. 8.2.6 Test Physical Security Safeguards
        1. 8.2.6.1 Doors and Locks
        2. 8.2.6.2 Intrusion Detection
    3. Exercises
    4. Notes
    5. Bibliography
  18. 9 Security Risk Analysis
    1. 9.1 Obtaining Measurement Data for Security Risk Analysis
    2. 9.2 Qualitative Security Risk Analysis Techniques
      1. 9.2.1 Qualitative Security Risk Analysis Advantages
      2. 9.2.2 Qualitative Security Risk Analysis Disadvantages
    3. 9.3 Quantitative Security Risk Analysis Techniques
      1. 9.3.1 Classic Quantitative Security Risk Assessment Formulas
      2. 9.3.2 Estimation
      3. 9.3.3 Probability Distributions
      4. 9.3.4 Monte Carlo Simulation
        1. 9.3.4.1 Ransomware Example—Monte Carlo Simulation
        2. 9.3.4.2 Building Monte Carlo Simulation Models
        3. 9.3.4.3 Quantitative Analysis Advantages
        4. 9.3.4.4 Quantitative Analysis Disadvantages
    4. 9.4 Summarizing Security Risk Analysis
      1. 9.4.1 Team Review of Security Risk Summary
      2. 9.4.2 Deriving Overall Security Risk
      3. 9.4.3 Prioritization of Security Risk
    5. Exercises
    6. Notes
    7. Bibliography
  19. 10 Security Risk Analysis Worked Examples
    1. 10.1 RIIOT FRAME
      1. 10.1.1 RIIOT FRAME—Qualitative
        1. 10.1.1.1 Qualitative Threat Assessment: (Phase 1)
        2. 10.1.1.2 Qualitative Vulnerability Assessment: (Phases 2A and 2B)
          1. 10.1.1.2.1 The RIIOT FRAME for Qualitative Vulnerability Review Approach
        3. 10.1.1.3 Qualitative Threat Occurrence Likelihood
        4. 10.1.1.4 Qualitative Expected Impact
          1. 10.1.1.4.1 Qualitative Impact Assessment (Phase 3)
          2. 10.1.1.4.2 Qualitative Vulnerability Assessment: Detective and Corrective Controls (Phase 2B)
        5. 10.1.1.5 Qualitative Expected Impact
        6. 10.1.1.6 Qualitative Security Risk Calculation
      2. 10.1.2 RIIOT FRAME—Quantitative
        1. 10.1.2.1 Obtaining Quantitative Data
          1. 10.1.2.1.1 Direct Threat Frequency or Impact Data
          2. 10.1.2.1.2 Indirect Threat Frequency or Impact Data
        2. 10.1.2.2 Quantitative Threat Occurrence Likelihood (Phase 1 and 2A)
        3. 10.1.2.3 Quantitative Expected Impact: Phase 3 and 2B
        4. 10.1.2.4 Quantitative Security Risk Calculation
      3. 10.1.3 Qualitative and Quantitative Comparison
    2. Exercises
    3. Notes
  20. 11 Security Risk Mitigation
    1. 11.1 Defining Security Risk Appetite
    2. 11.2 Selecting Safeguards
      1. 11.2.1 Method 1: Missing Control Leads to Safeguard Selection
      2. 11.2.2 Method 2: People, Process, Technology
      3. 11.2.3 Method 3: The “Nine-Cell”
      4. 11.2.4 Method 4: Available Technology
    3. 11.3 Safeguard Solution Sets
      1. 11.3.1 Safeguard Cost Calculations
      2. 11.3.2 Safeguard Effectiveness
        1. 11.3.2.1 Justification through Judgment
        2. 11.3.2.2 Cost–Benefit Analysis
    4. 11.4 Establishing Security Risk Parameters
    5. Exercises
    6. Notes
  21. 12 Security Risk Assessment Reporting
    1. 12.1 Cautions in Reporting
    2. 12.2 Pointers in Reporting
    3. 12.3 Report Structure
      1. 12.3.1 Executive-Level Report
      2. 12.3.2 Base Report
      3. 12.3.3 Appendices and Exhibits
    4. 12.4 Document Review Methodology: Create the Report Using a Top-Down Approach
      1. 12.4.1 Document Specification
      2. 12.4.2 Draft
      3. 12.4.3 Final
    5. 12.5 Assessment Brief
    6. 12.6 Action Plan
    7. Exercises
    8. Bibliography
  22. 13 Security Risk Assessment Project Management
    1. 13.1 Project Planning
      1. 13.1.1 Project Definition
      2. 13.1.2 Project Planning Details
        1. 13.1.2.1 Project Phases and Activities
        2. 13.1.2.2 Phases and Activities Scheduling
        3. 13.1.2.3 Allocating Hours to Activities
      3. 13.1.3 Project Resources
        1. 13.1.3.1 Objectivity vs. Independence
        2. 13.1.3.2 Internal vs. External Team Members
        3. 13.1.3.3 Skills Required
          1. 13.1.3.3.1 Specific Security Risk Assessment Skills
          2. 13.1.3.3.2 Certifications
          3. 13.1.3.3.3 General Consulting Skills
            1. 13.1.3.3.3.1 Criticisms of Consultants
            2. 13.1.3.3.3.2 Overcoming Critics
            3. 13.1.3.3.3.3 Conflict of Interest
          4. 13.1.3.3.4 General Writing Skills
    2. 13.2 Project Tracking
      1. 13.2.1 Hours Tracking
        1. 13.2.1.1 Calendar Time Tracking
      2. 13.2.2 Project Progress Tracking
    3. 13.3 Taking Corrective Measures
      1. 13.3.1 Obtaining More Resources
      2. 13.3.2 Using Management Reserve
    4. 13.4 Project Status Reporting
      1. 13.4.1 Report Detail
      2. 13.4.2 Report Frequency
      3. 13.4.3 Status Report Content
    5. 13.5 Project Conclusion and Wrap-Up
      1. 13.5.1 Eliminating “Scope Creep”
      2. 13.5.2 Eliminating Project Run-On
    6. Exercises
    7. Notes
    8. Bibliography
  23. 14 Security Risk Assessment Approaches
    1. 14.1 Security Risk Assessment Methods
      1. 14.1.1
      2. 14.1.2 OCTAVE
        1. 14.1.2.1 OCTAVE (Original)
        2. 14.1.2.2 OCTAVE-S
        3. 14.1.2.3 OCTAVE-Allegro
      3. 14.1.3 Information Security Assessment Methodology 2 (IRAM2)
      4. 14.1.4 Factor Analysis of Information Risk (FAIR): Basic Risk Assessment Guide (BRAG)
      5. 14.1.5 Factor Analysis of Information Risk (FAIR): Quantitative
      6. 14.1.6 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Qualitative
      7. 14.1.7 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Quantitative
    2. 14.2 Security Risk Assessment Frameworks
    3. Exercises
    4. Bibliography
  24. Index

Product information

  • Title: The Security Risk Assessment Handbook, 3rd Edition
  • Author(s): Douglas Landoll
  • Release date: September 2021
  • Publisher(s): CRC Press
  • ISBN: 9781000413250