The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments
Purchasing Options
Features
Summary
The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments provides detailed insight into precisely how to conduct an information security risk assessment. Designed for security professionals and their customers who want a more in-depth understanding of the risk assessment process, this volume contains real-world advice that promotes professional development. It also enables security consumers to better negotiate the scope and rigor of a security assessment, effectively interface with a security assessment team, deliver insightful comments on a draft report, and have a greater understanding of final report recommendations.
This book can save time and money by eliminating guesswork as to what assessment steps to perform, and how to perform them. In addition, the book offers charts, checklists, examples, and templates that speed up data gathering, analysis, and document development. By improving the efficiency of the assessment process, security consultants can deliver a higher-quality service with a larger profit margin.
The text allows consumers to intelligently solicit and review proposals, positioning them to request affordable security risk assessments from quality vendors that meet the needs of their organizations.
Table of Contents
Introduction
The Need for an Information Security Program
Elements of an Information Security Program
Common Core Information Security Practices
Security Risk Assessment
Related Activities
The Need for This Book
Who Is This Book For?
Information Security Risk Assessment Basics
Phase 1: Project Definition
Phase 2: Project Preparation
Phase 3: Data-gathering
Phase 4: Risk Analysis
Phase 5: Risk Mitigation
Phase 6: Risk Reporting and Resolution
Project Definition
Ensuring Project Success
Project Description
Security Risk Assessment Preparation
Introduce the Team
Review Business Mission
Identify Critical Systems
Identify Assets
Identifying Threats
Determine Expected Controls
Data Gathering
Sampling
The RIIOT Method of Data Gathering
Administrative Data Gathering
Threats and Safeguards
The RIIOT Method: Administrative Data Gathering
Technical Data Gathering
Technical Threats and Safeguards
The RIIOT Method: Technical Data Gathering
Physical Data Gathering
Physical Threats and Safeguards
The RIIOT Method: Physical Data Gathering
Security Risk Analysis
Determining Risk
Creating Risk Statements
Team Review of Security Risk Statements
Security Risk Mitigation
Selecting Safeguards
Safeguard Solution Sets
Establishing Risk Parameters
Security Risk Assessment Reporting
Cautions in Reporting
Pointers in Reporting
Report Structure
Document Review Methodology: Create the Report Using
a Top-Down Approach
Assessment Brief
Action Plan
Security Risk Assessment Project Management
Project Planning
Project Tracking
Taking Corrective Measures
Project Status Reporting
Project Conclusion and Wrap-up
Security Risk Assessment Approaches
Quantitative vs. Qualitative Analysis
Tools
Security Risk Assessment Methods
Appendix Relevant Standards and Regulations
GAISP
COBIT
ISO 17799
NIST Handbook
HIPAA: Security
Gramm-Leach-Bliley Act (GLB Act)
Related Titles
