| |
| |
| |
Introduction | |
| |
| |
| |
The Need for an Information Security Program | |
| |
| |
| |
Elements of an Information Security Program | |
| |
| |
| |
Security Control Standards and Regulations | |
| |
| |
| |
Common Core Information Security Practices | |
| |
| |
| |
Unanimous Core Security Practices | |
| |
| |
| |
Majority Core Security Practices | |
| |
| |
| |
Core Security Practice Conclusions | |
| |
| |
| |
Security Risk Assessment | |
| |
| |
| |
The Role of the Security Risk Assessment | |
| |
| |
| |
Definition of a Security Risk Assessment | |
| |
| |
| |
The Need for a Security Risk Assessment | |
| |
| |
| |
Security Risk Assessment Secondary Benefits | |
| |
| |
| |
Related Activities | |
| |
| |
| |
Gap Assessment | |
| |
| |
| |
Compliance Audit | |
| |
| |
| |
Security Audit | |
| |
| |
| |
Vulnerability Scanning | |
| |
| |
| |
Penetration Testing | |
| |
| |
| |
Ad Hoc Testing | |
| |
| |
| |
Social Engineering | |
| |
| |
| |
Wardialing | |
| |
| |
| |
The Need for This Book | |
| |
| |
| |
Who Is This Book For? | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Information Security Risk Assessment Basics | |
| |
| |
| |
Phase 1: Project Definition | |
| |
| |
| |
Phase 2: Project Preparation | |
| |
| |
| |
Phase 3: Data Gathering | |
| |
| |
| |
Phase 4: Risk Analysis | |
| |
| |
| |
Assets | |
| |
| |
| |
Threat Agents and Threats | |
| |
| |
| |
Vulnerabilities | |
| |
| |
| |
Security Risk | |
| |
| |
| |
Phase 5: Risk Mitigation | |
| |
| |
| |
Safeguards | |
| |
| |
| |
Residual Security Risk | |
| |
| |
| |
Phase 6: Risk Reporting and Resolution | |
| |
| |
| |
Risk Resolution | |
| |
| |
Note | |
| |
| |
References | |
| |
| |
| |
Project Definition | |
| |
| |
| |
Ensuring Project Success | |
| |
| |
| |
Success Definition | |
| |
| |
| |
Setting the Budget | |
| |
| |
| |
Determining the Objective | |
| |
| |
| |
Limiting the Scope | |
| |
| |
| |
Identifying System Boundaries | |
| |
| |
| |
Specifying the Rigor | |
| |
| |
| |
Sample Scope Statements | |
| |
| |
| |
Project Description | |
| |
| |
| |
Project Variables | |
| |
| |
| |
Statement of Work | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Security Risk Assessment Preparation | |
| |
| |
| |
Introduce the Team | |
| |
| |
| |
Introductory Letter | |
| |
| |
| |
Pre-Assessment Briefing | |
| |
| |
| |
Obtain Proper Permission | |
| |
| |
| |
Review Business Mission | |
| |
| |
| |
What Is a Business Mission | |
| |
| |
| |
Obtaining Business Mission Information | |
| |
| |
| |
Identify Critical Systems | |
| |
| |
| |
Determining Criticality | |
| |
| |
| |
Identify Assets | |
| |
| |
| |
Checklists and Judgment | |
| |
| |
| |
Asset Sensitivity/Criticality Classification | |
| |
| |
| |
Asset Valuation | |
| |
| |
| |
Identifying Threats | |
| |
| |
| |
Threat Components | |
| |
| |
| |
Listing Possible Threats | |
| |
| |
| |
Threat Statements | |
| |
| |
| |
Validating Threat Statements | |
| |
| |
| |
Determine Expected Controls | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Data Gathering | |
| |
| |
| |
Sampling | |
| |
| |
| |
Sampling Objectives | |
| |
| |
| |
Sampling Types | |
| |
| |
| |
Use of Sampling in Security Testing | |
| |
| |
| |
The RIIOT Method of Data Gathering | |
| |
| |
| |
RIIOT Method Benefits | |
| |
| |
| |
RIIOT Method Approaches | |
| |
| |
| |
Using the RIIOT Method | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Administrative Data Gathering | |
| |
| |
| |
Threats and Safeguards | |
| |
| |
| |
Human Resources | |
| |
| |
| |
Organizational Structure | |
| |
| |
| |
Information Control | |
| |
| |
| |
Business Continuity | |
| |
| |
| |
System Security | |
| |
| |
| |
The RIIOT Method: Administrative Data Gathering | |
| |
| |
| |
Review Administrative Documents | |
| |
| |
| |
Interview Administrative Personnel | |
| |
| |
| |
Inspect Administrative Security Controls | |
| |
| |
| |
Observe Administrative Behavior | |
| |
| |
| |
Test Administrative Security Controls | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Technical Data Gathering | |
| |
| |
| |
Technical Threats and Safeguards | |
| |
| |
| |
Information Control | |
| |
| |
| |
Business Continuity | |
| |
| |
| |
System Security | |
| |
| |
| |
Secure Architecture | |
| |
| |
| |
Components | |
| |
| |
| |
Configuration | |
| |
| |
| |
Data Security | |
| |
| |
| |
The RIIOT Method: Technical Data Gathering | |
| |
| |
| |
Review Technical Documents | |
| |
| |
| |
Interview Technical Personnel | |
| |
| |
| |
Inspect Technical Security Controls | |
| |
| |
| |
Observe Technical Personnel Behavior | |
| |
| |
| |
Test Technical Security Controls | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Physical Data Gathering | |
| |
| |
| |
Physical Threats and Safeguards | |
| |
| |
| |
Utilities and Interior Climate | |
| |
| |
| |
Fire | |
| |
| |
| |
Flood and Water Damage | |
| |
| |
| |
Lightning | |
| |
| |
| |
Earthquakes | |
| |
| |
| |
Volcanoes | |
| |
| |
| |
Landslides | |
| |
| |
| |
Hurricanes | |
| |
| |
| |
Tornadoes | |
| |
| |
| |
Natural Hazards Summary | |
| |
| |
| |
Human Threats to Physical Security | |
| |
| |
| |
The RIIOT Method: Physical Data Gathering | |
| |
| |
| |
Review Physical Documents | |
| |
| |
| |
Interview Physical Personnel | |
| |
| |
| |
Inspect Physical Security Controls | |
| |
| |
| |
Observe Physical Personnel Behavior | |
| |
| |
| |
Test Physical Security Safeguards | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Security Risk Analysis | |
| |
| |
| |
Determining Risk | |
| |
| |
| |
Uncertainty and Reducing Uncertainty | |
| |
| |
| |
Creating Risk Statements | |
| |
| |
| |
Team Review of Security Risk Statements | |
| |
| |
| |
Obtaining Consensus | |
| |
| |
| |
Deriving Overall security Risk | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Security Risk Mitigation | |
| |
| |
| |
Selecting Safeguards | |
| |
| |
| |
Safeguard Solution Sets | |
| |
| |
| |
Safeguard Cost Calculations | |
| |
| |
| |
Justifying Safeguard Selections | |
| |
| |
| |
Establishing Risk Parameters | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Security Risk Assessment Reporting | |
| |
| |
| |
Cautions in Reporting | |
| |
| |
| |
Pointers in Reporting | |
| |
| |
| |
Report Structure | |
| |
| |
| |
Executive-Level Report | |
| |
| |
| |
Base Report | |
| |
| |
| |
Appendices and Exhibits | |
| |
| |
| |
Document Review Methodology: Create the Report Using a Top-Down Approach | |
| |
| |
| |
Document Specification | |
| |
| |
| |
Draft | |
| |
| |
| |
Final | |
| |
| |
| |
Assessment Brief | |
| |
| |
| |
Action Plan | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Security Risk Assessment Project Management | |
| |
| |
| |
Project Planning | |
| |
| |
| |
Project Definition | |
| |
| |
| |
Project Planning Details | |
| |
| |
| |
Project Resources | |
| |
| |
| |
Project Tracking | |
| |
| |
| |
Hours Tracking | |
| |
| |
| |
Calendar Time Tracking | |
| |
| |
| |
Project Progress Tracking | |
| |
| |
| |
Taking Corrective Measures | |
| |
| |
| |
Obtaining More Resources | |
| |
| |
| |
Using Management Reserve | |
| |
| |
| |
Project Status Reporting | |
| |
| |
| |
Report Detail | |
| |
| |
| |
Report Frequency | |
| |
| |
| |
Status Report Content | |
| |
| |
| |
Project Conclusion and Wrap-Up | |
| |
| |
| |
Eliminating "Scope Creep" | |
| |
| |
| |
Eliminating Project Run-On | |
| |
| |
Notes | |
| |
| |
Reference | |
| |
| |
| |
Security Risk Assessment Approaches | |
| |
| |
| |
Quantitative vs. Qualitative Analysis | |
| |
| |
| |
Quantitative Analysis | |
| |
| |
| |
Qualitative Analysis | |
| |
| |
| |
Tools | |
| |
| |
| |
Lists | |
| |
| |
| |
Templates | |
| |
| |
| |
Security Risk Assessment Methods | |
| |
| |
| |
FAA Security Risk Management Process | |
| |
| |
| |
OCTAVE | |
| |
| |
| |
FRAP | |
| |
| |
| |
CRAMM | |
| |
| |
| |
NSA IAM | |
| |
| |
Notes | |
| |
| |
References | |
| |
| |
| |
Relevant Standards and Regulations | |
| |
| |
GAISP | |
| |
| |
CobiT | |
| |
| |
ISO 17799 | |
| |
| |
NIST Handbook | |
| |
| |
Management Controls | |
| |
| |
Operational Controls | |
| |
| |
Technical Controls | |
| |
| |
HIPAA: Security | |
| |
| |
Administrative Safeguards | |
| |
| |
Physical Safeguards | |
| |
| |
Technical Safeguards | |
| |
| |
Gramm-Leach-Bliley Act (GLB Act) | |
| |
| |
Notes | |
| |
| |
Index | |