Book description
The third edition has expended coverage essential topics such as threat analysis, data gathering, risk analysis, and risk assessment methods and added coverage of new topics essential for current assessment projects (e.g., cloud security, supply chain management, security risk assessment methods).
Table of contents
- Cover
- Half Title
- Title Page
- Copyright Page
- Dedication
- Contents
- List of Tables
- List of Figures
- Author
- 1 Introduction
- 2 Information Security Risk Assessment Basics
-
3 Project Definition
-
3.1 Ensuring Project Success
- 3.1.1 Success Definition
- 3.1.2 Setting the Budget
- 3.1.3 Determining the Objective
- 3.1.4 Limiting the Scope
- 3.1.5 Identifying System Boundaries
- 3.1.6 Specifying the Rigor
- 3.1.7 Sample Scope Statements
- 3.2 Project Description
- Exercises
- Bibliography
-
3.1 Ensuring Project Success
-
4 Security Risk Assessment Preparation
- 4.1 Introduce the Team
- 4.2 Review Business Mission
- 4.3 Identify Critical Systems
-
4.4 Identify Asset Classes
- 4.4.1 Checklists and Judgment
- 4.4.2 Asset Sensitivity/Criticality Classification
- 4.4.3 Asset Valuation
- 4.5 Identifying Threats
- 4.6 Determine Expected Controls
- Exercises
- Note
- Bibliography
-
5 Data Gathering
- 5.1 Security Control Representation
- 5.2 Evidence Depth
- 5.3 The RIIOT Method of Data Gathering
- Exercises
- Bibliography
-
6 Administrative Data Gathering
- 6.1 Administrative Threats and Safeguards
-
6.2 The RIIOT Method: Administrative Data Gathering
- 6.2.1 Determining Appropriate RIIOT Approaches for Administrative Controls
-
6.2.2 Review Documents Regarding Administrative Controls
- 6.2.2.1 Documents to Review
- 6.2.2.2 Review Documents for Clarity, Consistency, and Completeness
-
6.2.2.3 Review Documents for Expected Elements
-
6.2.2.3.1 Reviewing Information Security Policies
- 6.2.2.3.1.1 Senior Management Statement
- 6.2.2.3.1.2 Acceptable-Use Policy
- 6.2.2.3.1.3 Access Control Policy
- 6.2.2.3.1.4 Authentication and Account Management Policy
- 6.2.2.3.1.5 Backup and Restoration Policy
- 6.2.2.3.1.6 Cryptographic Control Policy
- 6.2.2.3.1.7 Data Classification, Handling and Retention Policy
- 6.2.2.3.1.8 Media Protection Policy
- 6.2.2.3.1.9 Mobile Device Policy
- 6.2.2.3.1.10 Physical Security/Environmental Controls Policy
- 6.2.2.3.1.11 Privacy Program Policy
- 6.2.2.3.1.12 Privacy—Web Privacy Notice
- 6.2.2.3.1.13 Systems and Communications Security Policy
-
6.2.2.3.1 Reviewing Information Security Policies
-
6.2.2.4 Reviewing Information Security Plans, Processes, and Procedures
- 6.2.2.4.1.1 Business Contingency Plan
- 6.2.2.4.1.2 Change Control Procedures
- 6.2.2.4.1.3 Disaster Recovery Plan
- 6.2.2.4.1.4 Incident Response Plan
- 6.2.2.4.1.5 Information Security Program Procedures
- 6.2.2.4.1.6 Other Operational Procedures
- 6.2.2.4.1.7 Security Awareness and Training Program
- 6.2.2.4.1.8 Software Development Life Cycle Process
- 6.2.2.4.1.9 Termination Procedures
- 6.2.2.4.1.10 Vendor Security Risk Management Program
- 6.2.2.5 Security Work Product Review
- 6.2.3 Interview Personnel Regarding Administrative Controls
- 6.2.4 Inspect Administrative Security Controls
- 6.2.5 Observe Administrative Behavior
- 6.2.6 Test Administrative Security Controls
- Exercises
- Bibliography
-
7 Technical Data Gathering
- 7.1 Technical Threats and Safeguards
-
7.2 The RIIOT Method: Technical Data Gathering
- 7.2.1 Determining Appropriate RIIOT Approaches for Technical Controls
-
7.2.2 Review Documents Regarding Technical Controls
- 7.2.2.1 Technical Documents to Request
- 7.2.2.2 Review Technical Documents for Information
- 7.2.2.3 Review Documents for Clarity, Consistency, and Completeness
- 7.2.2.4 Review Documents for Expected Elements
- 7.2.2.5 Reviewing System Information Documents
- 7.2.2.6 Reviewing Previous Security Assessment Documents
- 7.2.2.7 Reviewing Technical Manuals
- 7.2.2.8 Review Technical Security Designs
- 7.2.2.9 Basic Security Design Principles
- 7.2.3 Interview Personnel Regarding Technical Controls
-
7.2.4 Inspect Technical Security Controls
- 7.2.4.1 List Technical Security Controls
-
7.2.4.2 Verify Information Gathered
- 7.2.4.2.1 Audit Logs
- 7.2.4.2.2 Identity Management System
- 7.2.4.2.3 Data Backup Technologies
- 7.2.4.2.4 Vulnerability Scanning Tools
- 7.2.4.2.5 Penetration Testing Tools
- 7.2.4.2.6 Patch Management System
- 7.2.4.2.7 Web and E-mail Filtering Tools
- 7.2.4.2.8 Configuration Management
- 7.2.4.2.9 Firewalls
- 7.2.4.2.10 Intrusion Detection Systems
- 7.2.4.2.11 System Hardening Guidance
- 7.2.4.2.12 Operating Systems and Applications
- 7.2.4.3 Determine Vulnerabilities
- 7.2.4.4 Document and Review Findings
- 7.2.5 Observe Technical Personnel Behavior
- 7.2.6 Test Technical Security Controls
- Exercises
- Notes
- Bibliography
-
8 Physical Data Gathering
-
8.1 Physical Threats and Safeguards
- 8.1.1 Utilities and Interior Climate
- 8.1.2 Fire
- 8.1.3 Flood and Water Damage
- 8.1.4 Other Natural Disasters
- 8.1.5 Workforce
- 8.1.6 Perimeter Protections
-
8.2 The RIIOT Method: Physical Data Gathering
- 8.2.1 Determining Appropriate RIIOT Approaches for Physical Controls
-
8.2.2 Review Documents Regarding Physical Controls
- 8.2.2.1 Physical Documents to Request
- 8.2.2.2 Review Physical Documents for Information
- 8.2.2.3 Review Documents for Currency and Capability
- 8.2.2.4 Review Documents for Expected Elements
- 8.2.2.5 Reviewing Physical Safeguard Information Documents
- 8.2.2.6 Reviewing Previous Physical Assessment Documents
- 8.2.2.7 Reviewing Building and Site Architecture Documents
- 8.2.2.8 Reviewing Procedures and Procedure Work Products
- 8.2.3 Interview Physical Personnel
- 8.2.4 Inspect Physical Security Controls
- 8.2.5 Observe Physical Personnel Behavior
- 8.2.6 Test Physical Security Safeguards
- Exercises
- Notes
- Bibliography
-
8.1 Physical Threats and Safeguards
-
9 Security Risk Analysis
- 9.1 Obtaining Measurement Data for Security Risk Analysis
- 9.2 Qualitative Security Risk Analysis Techniques
- 9.3 Quantitative Security Risk Analysis Techniques
- 9.4 Summarizing Security Risk Analysis
- Exercises
- Notes
- Bibliography
-
10 Security Risk Analysis Worked Examples
-
10.1 RIIOT FRAME
- 10.1.1 RIIOT FRAME—Qualitative
- 10.1.2 RIIOT FRAME—Quantitative
- 10.1.3 Qualitative and Quantitative Comparison
- Exercises
- Notes
-
10.1 RIIOT FRAME
- 11 Security Risk Mitigation
- 12 Security Risk Assessment Reporting
-
13 Security Risk Assessment Project Management
- 13.1 Project Planning
- 13.2 Project Tracking
- 13.3 Taking Corrective Measures
- 13.4 Project Status Reporting
- 13.5 Project Conclusion and Wrap-Up
- Exercises
- Notes
- Bibliography
-
14 Security Risk Assessment Approaches
-
14.1 Security Risk Assessment Methods
- 14.1.1
- 14.1.2 OCTAVE
- 14.1.3 Information Security Assessment Methodology 2 (IRAM2)
- 14.1.4 Factor Analysis of Information Risk (FAIR): Basic Risk Assessment Guide (BRAG)
- 14.1.5 Factor Analysis of Information Risk (FAIR): Quantitative
- 14.1.6 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Qualitative
- 14.1.7 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Quantitative
- 14.2 Security Risk Assessment Frameworks
- Exercises
- Bibliography
-
14.1 Security Risk Assessment Methods
- Index
Product information
- Title: The Security Risk Assessment Handbook, 3rd Edition
- Author(s):
- Release date: September 2021
- Publisher(s): CRC Press
- ISBN: 9781000413250
You might also like
book
The Security Risk Assessment Handbook, 2nd Edition
The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments provides detailed insight …
book
Security Risk Assessment
Security Risk Assessment is the most up-to-date and comprehensive resource available on how to conduct a …
book
Security Controls Evaluation, Testing, and Assessment Handbook
Security Controls Evaluation, Testing, and Assessment Handbook provides a current and well-developed approach to evaluation and …
book
Security Policies and Implementation Issues, 3rd Edition
PART OF THE NEW JONES & BARTLETT LEARNING INFORMATION SYSTEMS SECURITY & ASSURANCE SERIES Security Policies …