| |
| |
Acknowledgments | |
| |
| |
About the Technical Editor | |
| |
| |
About the Authors | |
| |
| |
Introduction | |
| |
| |
| |
Information Security Risk Assessments | |
| |
| |
Introduction | |
| |
| |
What is Risk? | |
| |
| |
Going Deeper with Risk | |
| |
| |
Components of Risk | |
| |
| |
Putting it All Together | |
| |
| |
Information Security Risk | |
| |
| |
What is an Information Security Risk Assessment? | |
| |
| |
Why Assess Information Security Risk? | |
| |
| |
Risk Assessments and the Security Program | |
| |
| |
Information Risk Assessments Activities in a Nutshell | |
| |
| |
Drivers, Laws, and Regulations | |
| |
| |
Federal Information Security Management Act of 2002 (FISMA) | |
| |
| |
Gramm-Leach-Bliley Act (GLBA) | |
| |
| |
Health Insurance Portability and Accountability Act (HIPAA) | |
| |
| |
State Governments | |
| |
| |
ISO 27001 | |
| |
| |
Summary | |
| |
| |
What is Risk? | |
| |
| |
What is an Information Security Risk Assessment? | |
| |
| |
Drivers, Laws, and Regulations | |
| |
| |
References | |
| |
| |
| |
Information Security Risk Assessment: A Practical Approach | |
| |
| |
Introduction | |
| |
| |
A Primer on Information Security Risk Assessment Frameworks | |
| |
| |
Do I Use an Existing Framework or Should I Use My Own? | |
| |
| |
Octave | |
| |
| |
Fair | |
| |
| |
NIST SP800-30 | |
| |
| |
ISO 27005 | |
| |
| |
A Comparison of the Major Activities for the Four Frameworks | |
| |
| |
A Comparison of the Major Activities for the Four Frameworks Based on Activities | |
| |
| |
Our Risk Assessment Approach | |
| |
| |
Summary | |
| |
| |
| |
Information Security Risk Assessment: Data Collection | |
| |
| |
Introduction | |
| |
| |
The Sponsor | |
| |
| |
The Project Team | |
| |
| |
The Size and Breadth of the Risk Assessment | |
| |
| |
Scheduling and Deadlines | |
| |
| |
Assessor and Organization Experience | |
| |
| |
Workload | |
| |
| |
Data Collection Mechanisms | |
| |
| |
Collectors | |
| |
| |
Containers | |
| |
| |
Executive Interviews | |
| |
| |
Document Requests | |
| |
| |
IT Asset Inventories | |
| |
| |
Asset Scoping | |
| |
| |
Interviews | |
| |
| |
Asset Scoping Workshops | |
| |
| |
Business Impact Analysis and Other Assessments | |
| |
| |
Critical Success Factor Analysis | |
| |
| |
The Asset Profile Survey | |
| |
| |
Who Do You Ask for information? | |
| |
| |
How Do You Ask for the Information? | |
| |
| |
What Do You Ask for? | |
| |
| |
The Control Survey | |
| |
| |
Who Do You Ask for Information? | |
| |
| |
How Do You Ask for Information? | |
| |
| |
What Do You Ask for? | |
| |
| |
Organizational vs. System Specific | |
| |
| |
Scale vs. Yes or No | |
| |
| |
Inquiry vs. Testing | |
| |
| |
Survey Support Activities and Wrap-Up | |
| |
| |
Before and During the Survey | |
| |
| |
Review of Survey Responses | |
| |
| |
Post-Survey Verifications | |
| |
| |
Consolidation | |
| |
| |
| |
Information Security Risk Assessment: Data Analysis | |
| |
| |
Introduction | |
| |
| |
Compiling Observations from Organizational Risk Documents | |
| |
| |
Preparation of Threat and Vulnerability Catalogs | |
| |
| |
Threat Catalog | |
| |
| |
Vulnerability Catalog | |
| |
| |
Threat Vulnerability Pairs | |
| |
| |
Overview of the System Risk Computation | |
| |
| |
Designing the Impact Analysis Scheme | |
| |
| |
Confidentiality | |
| |
| |
Integrity | |
| |
| |
Availability | |
| |
| |
Preparing the Impact Score | |
| |
| |
Practical Tips | |
| |
| |
Designing the Control Analysis Scheme | |
| |
| |
Practical Tips | |
| |
| |
Designing the Likelihood Analysis Scheme | |
| |
| |
Exposure | |
| |
| |
Frequency | |
| |
| |
Controls | |
| |
| |
Likelihood | |
| |
| |
Putting it Together and the Final Risk Score | |
| |
| |
| |
Information Security Risk Assessment: Risk Assessment | |
| |
| |
Introduction | |
| |
| |
System Risk Analysis | |
| |
| |
Risk Classification | |
| |
| |
Risk Rankings | |
| |
| |
Individual System Risk Reviews | |
| |
| |
Threat and Vulnerability Review | |
| |
| |
Review Activities for Organizational Risk | |
| |
| |
Review of Security Threats and Trends | |
| |
| |
Review of Audit Findings | |
| |
| |
Review of Security Incidents | |
| |
| |
Review of Security Exceptions | |
| |
| |
Review of Security Metrics | |
| |
| |
Risk Prioritization and Risk Treatment | |
| |
| |
| |
Information Security Risk Assessment: Risk Prioritization and Treatment | |
| |
| |
Introduction | |
| |
| |
Organizational Risk Prioritization and Treatment | |
| |
| |
Review of Security Threats and Trends | |
| |
| |
Review of Audit Findings | |
| |
| |
Review of Security Incidents | |
| |
| |
Review of Security Exceptions | |
| |
| |
Review of Security Metrics | |
| |
| |
System Specific Risk Prioritization and Treatment | |
| |
| |
Issues Register | |
| |
| |
| |
Information Security Risk Assessment: Reporting | |
| |
| |
Introduction | |
| |
| |
Outline | |
| |
| |
Risk Analysis Executive Summary | |
| |
| |
Methodology | |
| |
| |
Organizational | |
| |
| |
System Specific | |
| |
| |
Results | |
| |
| |
Organizational Analysis | |
| |
| |
System Specific | |
| |
| |
Risk Register | |
| |
| |
Conclusion | |
| |
| |
Appendices | |
| |
| |
| |
Information Security Risk Assessment: Maintenance and Wrap Up | |
| |
| |
Introduction | |
| |
| |
Process Summary | |
| |
| |
Data Collection | |
| |
| |
Data Analysis | |
| |
| |
Risk Analysis | |
| |
| |
Reporting | |
| |
| |
Key Deliverables | |
| |
| |
Post Mortem | |
| |
| |
Scoping | |
| |
| |
Executive Interviews | |
| |
| |
System Owners and Stewards | |
| |
| |
Document Requests | |
| |
| |
System Profile and Control Survey | |
| |
| |
Analysis | |
| |
| |
Reporting | |
| |
| |
General Process | |
| |
| |
Index | |