The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition

Free Standard Shipping

Purchasing Options

ISBN 9781439821480
Cat# K11138



SAVE 20%

eBook (VitalSource)
ISBN 9781439821497
Cat# KE11010



SAVE 30%

eBook Rentals

Other eBook Options:


    • Supplies detailed instruction on how to perform effective risk assessments
    • Presents little-known tips, tricks, and techniques of savvy security professionals
    • Includes charts and checklists to speed up the data gathering, analysis, and document development processes
    • Covers security risk analysis, mitigation, and risk assessment reporting
    • Provides the understanding required to better negotiate the scope and rigor of risk assessment proposals 


    Conducted properly, information security risk assessments provide managers with the feedback needed to understand threats to corporate assets, determine vulnerabilities of current controls, and select appropriate safeguards. Performed incorrectly, they can provide the false sense of security that allows potential threats to develop into disastrous losses of proprietary information, capital, and corporate value.

    Picking up where its bestselling predecessor left off, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition gives you detailed instruction on how to conduct a risk assessment effectively and efficiently. Supplying wide-ranging coverage that includes security risk analysis, mitigation, and risk assessment reporting, this updated edition provides the tools needed to solicit and review the scope and rigor of risk assessment proposals with competence and confidence.

    Trusted to assess security for leading organizations and government agencies, including the CIA, NSA, and NATO, Douglas Landoll unveils the little-known tips, tricks, and techniques used by savvy security professionals in the field. He details time-tested methods to help you:

    • Better negotiate the scope and rigor of security assessments
    • Effectively interface with security assessment teams
    • Gain an improved understanding of final report recommendations
    • Deliver insightful comments on draft reports

    The book includes charts, checklists, and sample reports to help you speed up the data gathering, analysis, and document development process. Walking you through the process of conducting an effective security assessment, it provides the tools and up-to-date understanding you need to select the security measures best suited to your organization.

    Table of Contents

    The Need for an Information Security Program
    Elements of an Information Security Program
    Common Core Information Security Practices
    Security Risk Assessment
    Related Activities
    The Need for This Book
    Who Is This Book For?

    Information Security Risk Assessment Basics
    Phase 1: Project Definition
    Phase 2: Project Preparation
    Phase 3: Data Gathering
    Phase 4: Risk Analysis
    Phase 5: Risk Mitigation
    Phase 6: Risk Reporting and Resolution

    Project Definition
    Ensuring Project Success
    Project Description

    Security Risk Assessment Preparation
    Introduce the Team
    Review Business Mission
    Identify Critical Systems
    Identify Assets
    Identifying Threats
    Determine Expected Controls

    Data Gathering
    The RIIOT Method of Data Gathering

    Administrative Data Gathering
    Threats and Safeguards
    The RIIOT Method: Administrative Data Gathering

    Technical Data Gathering
    Technical Threats and Safeguards
    The RIIOT Method: Technical Data Gathering

    Physical Data Gathering
    Physical Threats and Safeguards
    The RIIOT Method: Physical Data Gathering

    Security Risk Analysis
    Determining Security Risk
    Creating Security Risk Statements
    Team Review of Security Risk Statements

    Security Risk Mitigation
    Selecting Safeguards
    Safeguard Solution Sets
    Establishing Security Risk Parameters
    Document Review Methodology: Create the Report Using a Top-Down Approach
    Assessment Brief
    Action Plan

    Security Risk Assessment Reporting
    Cautions in Reporting
    Pointers in Reporting
    Report Structure

    Security Risk Assessment Project Management
    Project Planning
    Project Tracking
    Taking Corrective Measures
    Project Status Reporting
    Project Conclusion and Wrap-Up

    Security Risk Assessment Approaches
    Quantitative vs. Qualitative Analysis Tools
    Security Risk Assessment Methods


    Author Bio(s)

    Douglas Landoll has nearly two decades of information security experience. He has led security risk assessments and established security programs for top corporations and government agencies. He is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs. His background includes evaluating security at the National Security Agency (NSA), North Atlantic Treaty Organization (NATO), Central Intelligence Agency (CIA), and other government agencies; co-founding the Arca Common Criteria Testing Laboratory, co-authoring the systems security engineering capability maturity model (SSE-CMM); teaching at NSA’s National Cryptologic School; and running the southwest security services division for Exodus Communications.

    Mr. Landoll is currently the president of Veridyn, a provider of network security solutions. He is a certified information systems security professional (CISSP) and certified information systems auditor (CISA). He holds a BS degree from James Madison University and an MBA from the University of Texas at Austin. He has published numerous information security articles, speaks regularly at conferences, and serves as an advisor for several high-tech companies.

    Editorial Reviews

    … this book, now in its second edition, covers a lot of ground for its 450 or so pages: information security, physical and environmental exposures, personnel risk and business continuity. Its author, a one-time senior analyst at the NSA, is clearly highly experienced in managing very large-scale risk assessment exercises. … a valuable guide for those commissioning or planning risk assessment exercises.
    — Michael Barwise, BSc, CEng, CITP, MBCS, in InfoSec Reviews, July 2011


    Related Titles