LIMITED OFFER
Save 50% on book bundles
Immediately download your ebook while waiting for your print delivery. No promo code needed.
Security Risk Management
Building an Information Security Risk Management Program from the Ground Up
- 1st Edition - April 20, 2011
- Author: Evan Wheeler
- Language: English
- Paperback ISBN:9 7 8 - 1 - 5 9 7 4 9 - 6 1 5 - 5
- eBook ISBN:9 7 8 - 1 - 5 9 7 4 9 - 6 1 6 - 2
Security Risk Management is the definitive guide for building or running an information security risk management program. This book teaches practical techniques that will be used o… Read more
Purchase options
Institutional subscription on ScienceDirect
Request a sales quoteSecurity Risk Management is the definitive guide for building or running an information security risk management program. This book teaches practical techniques that will be used on a daily basis, while also explaining the fundamentals so students understand the rationale behind these practices. It explains how to perform risk assessments for new IT projects, how to efficiently manage daily risk activities, and how to qualify the current risk level for presentation to executive level management. While other books focus entirely on risk analysis methods, this is the first comprehensive text for managing security risks.
This book will help you to break free from the so-called best practices argument by articulating risk exposures in business terms. It includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment. It explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk. It also presents a roadmap for designing and implementing a security risk management program.
This book will be a valuable resource for CISOs, security managers, IT managers, security consultants, IT auditors, security analysts, and students enrolled in information security/assurance college programs.
- Named a 2011 Best Governance and ISMS Book by InfoSec Reviews
- Includes case studies to provide hands-on experience using risk assessment tools to calculate the costs and benefits of any security investment
- Explores each phase of the risk management lifecycle, focusing on policies and assessment processes that should be used to properly assess and mitigate risk
- Presents a roadmap for designing and implementing a security risk management program
CISOs, Security Managers, IT Managers, Security Consultants, IT Auditors, Security Analysts, and Students in Information Security/Assurance college programs
PREFACE
ACKNOWLEDGMENTS
ABOUT THE AUTHOR
ABOUT THE TECHNICAL EDITOR
PART I. Introduction to Risk Management
Chapter 1. The Security Evolution
Information in this Chapter
Introduction
How We Got Here
A Risk-Focused Future
Information Security Fundamentals
The Death of Information Security
Summary
Chapter 2. Risky Business
Information in this Chapter
Introduction
Applying Risk Management to Information Security
Business-Driven Security Program
Security as an Investment
Qualitative versus Quantitative
Summary
Chapter 3. The Risk Management Lifecycle
Information in this Chapter
Introduction
Stages of the Risk Management Lifecycle
Business Impact Assessment
A Vulnerability Assessment Is Not a Risk Assessment
Making Risk Decisions
Mitigation Planning and Long-Term Strategy
Process Ownership
Summary
PART II. Risk Assessment and Analysis Techniques
Chapter 4. Risk Profiling
Information in this Chapter
Introduction
How Risk Sensitivity Is Measured
Asking the Right Questions
Assessing Risk Appetite
Summary
Chapter 5. Formulating a Risk
Information in this Chapter
Introduction
Breaking Down a Risk
Who or What Is the Threat?
Summary
Chapter 6. Risk Exposure Factors
Information in this Chapter
Introduction
Qualitative Risk Measures
Risk Assessment
Summary
Chapter 7. Security Controls and Services
Information in this Chapter
Introduction
Fundamental Security Services
Recommended Controls
Summary
Chapter 8. Risk Evaluation and Mitigation Strategies
Information in this Chapter
Introduction
Risk Evaluation
Risk Mitigation Planning
Policy Exceptions and Risk Acceptance
Summary
Chapter 9. Reports and Consulting
Information in this Chapter
Introduction
Risk Management Artifacts
A Consultant’s Perspective
Writing Audit Responses
Summary
Chapter 10. Risk Assessment Techniques
Information in this Chapter
Introduction
Operational Assessments
Project-Based Assessments
Third-Party Assessments
Summary
PART III. Building and Running a Risk Management Program
Chapter 11. Threat and Vulnerability Management
Information in this Chapter
Introduction
Building Blocks
Threat Identification
Advisories and Testing
An Efficient Workflow
The FAIR Approach
Summary
Chapter 12. Security Risk Reviews
Information in this Chapter
Introduction
Assessing the State of Compliance
Implementing a Process
Process Optimization: A Review of Key Points
The NIST Approach
Summary
Chapter 13. A Blueprint for Security
Information in this Chapter
Introduction
Risk in the Development Lifecycle
Security Architecture
Patterns and Baselines
Architectural Risk Analysis
Summary
Chapter 14. Building a Program from Scratch
Information in this Chapter
Introduction
Designing a Risk Program
Prerequisites for a Risk Management Program
Risk at the Enterprise Level
Linking the Program Components
Program Roadmap
Summary
APPENDIX A. Sample Security Risk Profile
A. General Information
B. Information Sensitivity
C. Regulatory Requirements
D. Business Requirements
E. Definitions
APPENDIX B. Qualitative Risk Scale Reference Tables
APPENDIX C. Architectural Risk Analysis Reference Tables
Baseline Security Levels and Sample Controls
Security Enhancement Levels and Sample Controls
Mapping Security Levels
Index
- No. of pages: 360
- Language: English
- Edition: 1
- Published: April 20, 2011
- Imprint: Syngress
- Paperback ISBN: 9781597496155
- eBook ISBN: 9781597496162
EW
Evan Wheeler
Evan Wheeler currently is a Director of Information Security for Omgeo (A DTCC | Thomson Reuters Company), an instructor at both Clark and Northeastern Universities, and the author of the Information Security Risk Management course for the SANS Institute. Previously he spent six years as a Security Consultant for the U.S. Department of Defense.
Affiliations and expertise
Omgeo, Boston, MA, USARead Security Risk Management on ScienceDirect