𝔖 Scriptorium
✦   LIBER   ✦
📁

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments

✍ Scribed by Douglas Landoll

Publisher
CRC Press
Year
2021
Tongue
English
Leaves
515
Edition
3
Category
Library
⬇  Acquire This Volume

No coin nor oath required. For personal study only.

✦ Synopsis

Conducted properly, information security risk assessments provide managers with the feedback needed to understand threats to corporate assets, determine vulnerabilities of current controls, and select appropriate safeguards. Performed incorrectly, they can provide the false sense of security that allows potential threats to develop into disastrous losses of proprietary information, capital, and corporate value. Picking up where its bestselling predecessors left off, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Third Edition gives you detailed instruction on how to conduct a risk assessment effectively and efficiently. Supplying wide-ranging coverage that includes security risk analysis, mitigation, and risk assessment reporting.

 

The third edition has expended coverage essential topics such as threat analysis, data gathering, risk analysis, and risk assessment methods and added coverage of new topics essential for current assessment projects (e.g., cloud security, supply chain management, security risk assessment methods). This edition includes detailed guidance on gathering data and analyzing over 200 administrative, technical, and physical controls using the RIIOT data gathering method; introduces the RIIOT FRAME (risk assessment method), includes hundreds of tables, over 70 new diagrams and figures, over 80 exercises, and provides a detailed analysis of many of the popular security risk assessment methods in use today. The companion website (infosecurityrisk.com) provides downloads for checklists, spreadsheets, figures, and tools. The security risk assessment handbook walks you through the process of conducting an effective security assessment, it provides the tools, methods, and up-to-date understanding you need to select the security measures best suited to your organization.

 

Trusted to assess security for small companies, leading organizations and government agencies, including the CIA, NSA, and NATO, Douglas Landoll unveils the little-known tips, tricks, and techniques used by savvy security professionals in the field. He details time-tested methods to help you:

·       Better negotiate the scope and rigor of security assessments

·       Effectively interface with security assessment teams

·       Gain an improved understanding of final report recommendations

·       Deliver insightful comments on draft reports

✦ Table of Contents

Cover
Half Title
Title Page
Copyright Page
Dedication
Table of Contents
List of Tables
List of Figures
Author
Chapter 1: Introduction
1.1 The Role of the Chief Information Security Officer
1.1.1 Audit as a Driver for Security Initiatives
1.1.2 Technology as a Driver for Security Initiatives
1.1.3 Compliance as a Driver for Security Initiatives
1.1.4 Security Risk as a Driver for Security Initiatives
1.2 Ensuring a Quality Information Security Risk Assessment
1.3 Security Risk Assessment
1.3.1 The Role of the Security Risk Assessment
1.3.2 Definition of a Security Risk Assessment
1.3.3 The Need for a Security Risk Assessment
1.3.3.1 Checks and Balances
1.3.3.2 Periodic Review
1.3.3.3 Risk-Based Spending
1.3.3.4 Requirement
1.3.4 Security Risk Assessment Secondary Benefits
1.4 Related Activities
1.4.1 Gap Assessment
1.4.2 Compliance Audit
1.4.3 Security Audit
1.4.4 Vulnerability Scanning
1.4.5 Penetration Testing
1.4.6 Ad Hoc Testing
1.4.7 Social Engineering
1.4.8 War Dialing
1.5 The Need for This Book
1.6 Who Is This Book For?
Exercises
Note
Bibliography
Chapter 2: Information Security Risk Assessment Basics
2.1 Phase 1: Project Definition
2.2 Phase 2: Project Preparation
2.3 Phase 3: Data Gathering
2.4 Phase 4: Risk Analysis
2.4.1 Assets
2.4.2 Threat Agents and Threat Actions
2.4.2.1 Threat Agents
2.4.2.2 Threat Actions
2.4.3 Vulnerabilities
2.4.4 Security Risk
2.5 Phase 5: Risk Mitigation
2.5.1 Safeguards
2.5.2 Residual Security Risk
2.6 Phase 6: Risk Reporting and Resolution
2.6.1 Risk Resolution
Exercises
Notes
Biliography
Chapter 3: Project Definition
3.1 Ensuring Project Success
3.1.1 Success Definition
3.1.1.1 Customer Satisfaction
3.1.1.2 Identifying the Customer
3.1.1.3 Quality of Work
3.1.1.3.1 Quality Aspects
3.1.1.4 Completion within Budget
3.1.2 Setting the Budget
3.1.3 Determining the Objective
3.1.4 Limiting the Scope
3.1.4.1 Under-scoping
3.1.4.2 Over-scoping
3.1.4.3 Security Controls
3.1.4.3.1 Administrative Security Controls
3.1.4.3.2 Physical Security Controls
3.1.4.3.3 Technical Security Controls
3.1.4.4 Assets
3.1.4.4.1 Tangible Assets
3.1.4.4.2 Intangible Assets
3.1.4.5 Reasonableness in Limiting the Scope
3.1.5 Identifying System Boundaries
3.1.5.1 Physical Boundary
3.1.5.2 Logical Boundaries
3.1.6 Specifying the Rigor
3.1.7 Sample Scope Statements
3.2 Project Description
3.2.1 Project Variables
3.2.2 Statement of Work (SOW)
3.2.2.1 Specifying the Service Description
3.2.2.2 Scope of Security Controls
3.2.2.3 Specifying Deliverables
3.2.2.4 Contract Type
3.2.2.4.1 Time and Materials Contract
3.2.2.4.2 Firm-Fixed-Price Contract
3.2.2.5 Contract Terms
3.2.2.5.1 Determining Needs
3.2.2.5.2 Determining Next-Best Alternative
3.2.2.5.3 Negotiating Project Membership
Exercises
Bibliography
Chapter 4: Security Risk Assessment Preparation
4.1 Introduce the Team
4.1.1 Introductory Letter
4.1.2 Project Kickoff Call
4.1.3 Pre-Assessment Briefing
4.1.4 Obtain Proper Permission
4.1.4.1 Policies Required
4.1.4.2 Permission Required
4.1.4.3 Scope of Permission
4.1.4.4 Accounts Required
4.2 Review Business Mission
4.2.1 What Is a Business Mission?
4.2.2 Obtaining Business Mission Information
4.3 Identify Critical Systems
4.3.1 Determining Criticality
4.3.1.1 Determine Protection Requirements
4.3.1.2 Determine Mission Criticality
4.3.1.3 Define Critical Systems
4.4 Identify Asset Classes
4.4.1 Checklists and Judgment
4.4.2 Asset Sensitivity/Criticality Classification
4.4.2.1 Approach 1: Find Asset Classification Information Elsewhere
4.4.2.2 Approach 2: Create Asset Classification Information
4.4.2.3 Approach 3: Determine Asset Criticality
4.4.3 Asset Valuation
4.4.3.1 Approach 1: Binary Asset Valuation
4.4.3.2 Approach 2: Classification-Based Asset Valuation
4.4.3.3 Approach 3: Rank-Based Asset Valuation
4.4.3.4 Approach 4: Consensus Asset Valuation
4.4.3.5 Approaches 5–7: Accounting Valuation Approaches
4.4.3.5.1 Approach 5: Cost Valuation
4.4.3.5.2 Approach 6: Market Valuation
4.4.3.5.3 Approach 7: Income Valuation
4.5 Identifying Threats
4.5.1 Threat Components
4.5.1.1 Threat Agent
4.5.1.2 Threat Action
4.5.1.3 Threat Agent and Threat Action Pairing
4.5.2 Threat Statements
4.5.3 Validating Threat Statements
4.5.3.1 Factors Affecting Threat Statement Validity
4.6 Determine Expected Controls
Exercises
Note
Bibliography
Chapter 5: Data Gathering
5.1 Security Control Representation
5.1.1 Data Gathering on the Population
5.1.2 Data Gathering on a Sample
5.1.2.1 Determining Sample Size
5.1.2.2 Sampling Objectives
5.1.2.3 Sampling Types
5.1.3 Use of Sampling in Security Testing
5.1.3.1 Approach 1: Representative Testing
5.1.3.2 Approach 2: Selected Sampling
5.1.3.3 Approach 3: Random Sampling
5.2 Evidence Depth
5.3 The RIIOT Method of Data Gathering
5.3.1 RIIOT Method Benefits
5.3.2 RIIOT Method Approaches
5.3.2.1 Review Documents or Designs
5.3.2.1.1 The Importance of Security Documents
5.3.2.1.2 Documents to Request
5.3.2.1.3 Policy Review within Regulated Industries
5.3.2.1.4 RIIOT Document Review Technique
5.3.2.2 Interview Key Personnel
5.3.2.2.1 Selecting the Interviewer
5.3.2.2.2 Interview Requests
5.3.2.2.3 Preparing for the Interview
5.3.2.2.4 Conducting the Interview
5.3.2.2.5 Documenting the Interview
5.3.2.2.6 Flexibility in the Process
5.3.2.2.7 Questionnaire Preparation
5.3.2.3 Inspect Security Controls
5.3.2.4 Observe Personnel Behavior
5.3.2.4.1 Observation Guidance
5.3.2.5 Test Security Controls
5.3.2.5.1 Security Testing Documentation
5.3.2.5.2 Coverage of Testing
5.3.2.5.3 Types of Security Testing
5.3.2.5.3.1 Information Accuracy Testing
5.3.2.5.3.2 Vulnerability Testing
5.3.2.5.3.3 Penetration Testing
5.3.3 Using the RIIOT Method
5.3.3.1 Determining Appropriate RIIOT Approaches
5.3.3.2 Assigning RIIOT Activities
5.3.3.3 RIIOT Applied to Administrative, Physical, and Technical Controls
Exercises
Bibliography
Chapter 6: Administrative Data Gathering
6.1 Administrative Threats and Safeguards
6.1.1 Human Resources
6.1.1.1 Human Resource Threats
6.1.1.2 Human Resource Safeguards
6.1.1.2.1 Recruitment
6.1.1.2.2 Employment
6.1.1.2.3 Termination
6.1.2 Organizational Structure
6.1.2.1 Organizational Structure Threats
6.1.2.2 Organizational Structure Safeguards
6.1.2.2.1 Senior Management
6.1.2.2.2 Security Program
6.1.2.2.3 Security Operations
6.1.2.2.4 Audit
6.1.3 Information Control
6.1.3.1 Information Control Threats
6.1.3.2 Information Control Safeguards
6.1.3.2.1 Sensitive Information
6.1.3.2.2 User Accounts
6.1.3.2.3 User Error
6.1.3.2.4 Asset Control
6.1.4 Business Continuity
6.1.4.1 Business Continuity Threats
6.1.4.2 Business Continuity Safeguards
6.1.4.2.1 Contingency Planning
6.1.4.2.2 Incident Response Program
6.1.5 System Security
6.1.5.1 System Security Threats
6.1.5.2 Organizational Structure Safeguards
6.1.5.2.1 System Controls
6.1.5.2.2 Application Security
6.1.5.2.3 Configuration Management
6.1.5.2.4 Third-
6.2 The RIIOT Method: Administrative Data Gathering
6.2.1 Determining Appropriate RIIOT Approaches for Administrative Controls
6.2.2 Review Documents Regarding Administrative Controls
6.2.2.1 Documents to Review
6.2.2.2 Review Documents for Clarity, Consistency, and Completeness
6.2.2.3 Review Documents for Expected Elements
6.2.2.3.1 Reviewing Information Security Policies
6.2.2.3.1.1 Senior Management Statement
6.2.2.3.1.2 Acceptable-
6.2.2.3.1.3 Access Control Policy
6.2.2.3.1.4 Authentication and Account Management Policy
6.2.2.3.1.5 Backup and Restoration Policy
6.2.2.3.1.6 Cryptographic Control Policy
6.2.2.3.1.7 Data Classification, Handling and Retention Policy
6.2.2.3.1.8 Media Protection Policy
6.2.2.3.1.9 Mobile Device Policy
6.2.2.3.1.10 Physical Security/Environmental Controls Policy
6.2.2.3.1.11 Privacy Program Policy
6.2.2.3.1.12 Privacy—Web Privacy Notice
6.2.2.3.1.13 Systems and Communications Security Policy
6.2.2.4.1.1 Business Contingency Plan
6.2.2.4.1.2 Change Control Procedures
6.2.2.4.1.3 Disaster Recovery Plan
6.2.2.4.1.4 Incident Response Plan
6.2.2.4.1.5 Information Security Program Procedures
6.2.2.4.1.6 Other Operational Procedures
6.2.2.4.1.7 Security Awareness and Training Program
6.2.2.4.1.8 Software Development Life Cycle Process
6.2.2.4.1.9 Termination Procedures
6.2.2.4.1.10 Vendor Security Risk Management Program
6.2.2.4 Reviewing Information Security Plans, Processes, and Procedures
6.2.2.5 Security Work Product Review
6.2.3 Interview Personnel Regarding Administrative Controls
6.2.3.1 Administrative Interview Planning
6.2.3.2 Administrative Interview Topics
6.2.3.3 Administrative Interview Subjects
6.2.3.4 Administrative Interview Questions
6.2.3.4.1 Incident Response Interview Questions
6.2.3.4.2 Security Operations Interview Questions
6.2.3.4.3 Security Program Interview Questions
6.2.4 Inspect Administrative Security Controls
6.2.4.1 Inspection—Listing Administrative Security Controls
6.2.4.2 Inspection—Verify Information Gathered
6.2.4.3 Inspection—Determine Vulnerabilities
6.2.4.4 Inspection—Document and Review Findings
6.2.4.5 Inspection—The Security Organization
6.2.4.5.1 Organizational Structure
6.2.4.5.2 Budget and Resources
6.2.4.5.3 Roles and Responsibilities
6.2.5 Observe Administrative Behavior
6.2.6 Test Administrative Security Controls
6.2.6.1 Information Labeling Testing
6.2.6.2 Media Destruction Testing
6.2.6.2.1 Approach 1: TRASHINT
6.2.6.2.2 Approach 2: Sanitization Test
6.2.6.3 Account and Access Control Procedures Testing
6.2.6.3.1 Approach 1: Process Test
6.2.6.3.2 Approach 2: Process Audit—Sample
6.2.6.3.3 Approach 3: Process Audit—Complete
6.2.6.4 Outsourcing and Information Exchange
6.2.6.4.1 Outsourcing Review
6.2.6.4.1.1 Approach 1: Review Contracts
6.2.6.4.1.2 Approach 2: Review Available Assessments
6.2.6.4.1.3 Approach 3: Review Questionnaire Responses
Exercises
Bibliography
Chapter 7: Technical Data Gathering
7.1 Technical Threats and Safeguards
7.1.1 Information Control
7.1.1.1 Information Control Threats
7.1.1.2 Information Control Safeguards
7.1.1.2.1 User Error
7.1.1.2.2 Sensitive and Critical Information
7.1.1.2.3 User Accounts
7.1.2 Business Continuity
7.1.2.1 Business Continuity Threats
7.1.2.2 Business Continuity Safeguards
7.1.2.2.1 Contingency Planning
7.1.2.2.2 Incident Response Program
7.1.3 System Security
7.1.3.1 System Security Threats
7.1.3.2 System Security Safeguards
7.1.3.2.1 System Controls
7.1.3.2.2 Application Security
7.1.3.2.3 Change Management
7.1.4 Secure Architecture
7.1.4.1 Secure Architecture Threats
7.1.4.2 Secure Architecture Safeguards
7.1.4.2.1 Topology
7.1.4.2.2 Transmission
7.1.4.2.3 Perimeter Network
7.1.5 Security Components
7.1.5.1 Security Component Threats
7.1.5.2 Security Component Safeguards
7.1.5.2.1 Access Control
7.1.5.2.2 Continuous Monitoring
7.1.6 Secure Configuration
7.1.6.1 Secure Configuration Threats
7.1.6.2 Secure Configuration Safeguards
7.1.6.2.1 System Settings
7.1.7 Data Security
7.1.7.1 Data Security Threats
7.1.7.2 Data Security Safeguards
7.1.7.2.1 Storage
7.1.7.2.2 Transit
7.2 The RIIOT Method: Technical Data Gathering
7.2.1 Determining Appropriate RIIOT Approaches for Technical Controls
7.2.2 Review Documents Regarding Technical Controls
7.2.2.1 Technical Documents to Request
7.2.2.2 Review Technical Documents for Information
7.2.2.3 Review Documents for Clarity, Consistency, and Completeness
7.2.2.4 Review Documents for Expected Elements
7.2.2.5 Reviewing System Information Documents
7.2.2.5.1 Network Diagram
7.2.2.6 Reviewing Previous Security Assessment Documents
7.2.2.6.1 Vulnerability Scan Report
7.2.2.6.2 Penetration Test Report
7.2.2.6.3 Security Risk Assessment Report
7.2.2.6.4 Information Technology/Security Audit Report
7.2.2.7 Reviewing Technical Manuals
7.2.2.8 Review Technical Security Designs
7.2.2.8.1 Determine Security Requirements
7.2.2.9 Basic Security Design Principles
7.2.2.9.1 Common Areas for Investigation
7.2.3 Interview Personnel Regarding Technical Controls
7.2.3.1 Technical Interview Topics
7.2.3.2 Technical Interview Subjects
7.2.3.3 Technical Interview Questions
7.2.3.3.1 Security Testing and Review Interview Questions
7.2.3.3.2 Security Components Interview Questions
7.2.3.3.3 Security Operations and Procedures Interview Questions
7.2.4 Inspect Technical Security Controls
7.2.4.1 List Technical Security Controls
7.2.4.2 Verify Information Gathered
7.2.4.2.1 Audit Logs
7.2.4.2.2 Identity Management System
7.2.4.2.3 Data Backup Technologies
7.2.4.2.4 Vulnerability Scanning Tools
7.2.4.2.5 Penetration Testing Tools
7.2.4.2.6 Patch Management System
7.2.4.2.7 Web and E-mail Filtering Tools
7.2.4.2.8 Configuration Management
7.2.4.2.9 Firewalls
7.2.4.2.10 Intrusion Detection Systems
7.2.4.2.11 System Hardening Guidance
7.2.4.2.12 Operating Systems and Applications
7.2.4.2.12.1 Sources of Checklists
7.2.4.2.12.2 Use of Checklists
7.2.4.3 Determine Vulnerabilities
7.2.4.4 Document and Review Findings
7.2.5 Observe Technical Personnel Behavior
7.2.6 Test Technical Security Controls
7.2.6.1 Monitoring Technology
7.2.6.2 Audit Logs
7.2.6.3 Anti-Virus Systems
7.2.6.4 Automated Password Policies
7.2.6.5 Virtual Private Network
7.2.6.6 Firewalls, IDS, and System Hardening
7.2.6.7 Vulnerability Scanning
7.2.6.7.1 Stages of Vulnerability Scanning
7.2.6.7.2 Vulnerability Scanning Tools
7.2.6.7.2.1 Network Mapping
7.2.6.7.2.2 Vulnerability Scanners
7.2.6.7.2.3 Virus and Pest Scanning
7.2.6.7.2.4 Application Scanners
7.2.6.8 Penetration Testing
7.2.6.9 Testing Specific Technology
7.2.6.9.1 Modem Access Testing
7.2.6.9.2 Wireless Network Testing
7.2.6.9.3 PBX Testing
7.2.6.9.4 VOIP Testing
Exercises
Notes
Bibliography
Chapter 8: Physical Data Gathering
8.1 Physical Threats and Safeguards
8.1.1 Utilities and Interior Climate
8.1.1.1 Utility and Interior Climate Threats
8.1.1.2 Utility and Interior Climate Safeguards
8.1.1.2.1 Power Utility
8.1.1.2.1.1 Power Safeguards
8.1.1.2.2 Cooling Interior Climate
8.1.1.2.2.1 Cooling Safeguards
8.1.1.2.3 Humidity
8.1.1.2.3.1 Humidity Safeguards
8.1.2 Fire
8.1.2.1 Fire Threats
8.1.2.2 Fire Safeguards
8.1.2.2.1 Fire Prevention
8.1.2.2.1.1 Fire Prevention Safeguards
8.1.2.2.2 Fire Detection
8.1.2.2.2.1 Fire Detection Safeguards
8.1.2.2.3 Fire Alarm
8.1.2.2.3.1 Fire Alarm Safeguards
8.1.2.2.3.1.1 Fire Alarm Installation Types
8.1.2.2.4 Fire Suppression
8.1.2.3 Fire Suppression Safeguards
8.1.2.3.1 Stationary Suppression Systems
8.1.3 Flood and Water Damage
8.1.3.1 Flood and Water Threats
8.1.3.2 Flood and Water Safeguards
8.1.3.2.1 Flood and Water Exposure
8.1.3.2.1.1 Flood and Water Exposure Safeguards
8.1.3.2.2 Flood and Water Monitoring
8.1.3.2.2.1 Flood and Water Exposure Safeguards
8.1.3.2.3 Flood and Water Response
8.1.3.2.3.1 Flood and Water Response Safeguards
8.1.4 Other Natural Disasters
8.1.4.1 Other Natural Disaster Threats
8.1.4.2 Other Natural Disaster Safeguards
8.1.4.2.1 General Natural Disasters
8.1.4.2.1.1 Natural Disasters—General Protection Safeguards
8.1.4.2.2 Lightning
8.1.4.2.2.1 Lightning Safeguards
8.1.4.2.3 Earthquake
8.1.4.2.3.1 Earthquake Safeguards
8.1.4.2.4 Volcano
8.1.4.2.4.1 Volcano Safeguards
8.1.4.2.5 Hurricane
8.1.4.2.5.1 Hurricane Safeguards
8.1.5 Workforce
8.1.5.1 Workforce Threats
8.1.5.2 Workforce Safeguards
8.1.5.2.1 Personnel Screening
8.1.5.2.2 Personnel Termination
8.1.6 Perimeter Protections
8.1.6.1 Perimeter Protection Threats
8.1.6.2 Perimeter Protection Safeguards
8.1.6.2.1 Barriers
8.1.6.2.2 Lighting
8.1.6.2.3 Physical Intrusion Detection
8.1.6.2.3.1 Exterior Sensors
8.1.6.2.3.2 Interior Sensors
8.1.6.2.3.3 Video Surveillance Systems
8.1.6.2.3.3.1 Video Surveillance System Capabilities
8.1.6.2.4 Physical Access Control
8.1.6.2.4.1 Badges
8.1.6.2.4.2 Card Readers
8.1.6.2.4.3 Biometrics
8.1.6.2.4.4 Visitor Control
8.1.6.2.4.5 Property Removal Prevention
8.2 The RIIOT Method: Physical Data Gathering
8.2.1 Determining Appropriate RIIOT Approaches for Physical Controls
8.2.2 Review Documents Regarding Physical Controls
8.2.2.1 Physical Documents to Request
8.2.2.2 Review Physical Documents for Information
8.2.2.3 Review Documents for Currency and Capability
8.2.2.4 Review Documents for Expected Elements
8.2.2.5 Reviewing Physical Safeguard Information Documents
8.2.2.6 Reviewing Previous Physical Assessment Documents
8.2.2.7 Reviewing Building and Site Architecture Documents
8.2.2.8 Reviewing Procedures and Procedure Work Products
8.2.3 Interview Physical Personnel
8.2.3.1 Physical Security Interview Topics
8.2.3.2 Physical Security Interview Subjects
8.2.3.3 Physical Security Interview Questions
8.2.3.3.1 Utilities Interview Questions
8.2.3.3.2 Physical Security Procedures Interview Questions
8.2.4 Inspect Physical Security Controls
8.2.4.1 Listing Physical Security Controls
8.2.4.2 Verify Information Gathered
8.2.4.2.1 Logs, Records, and Audit Files
8.2.4.2.2 Perimeter Security
8.2.4.3 Determine Physical Vulnerabilities
8.2.4.4 Document and Review Physical Findings
8.2.5 Observe Physical Personnel Behavior
8.2.6 Test Physical Security Safeguards
8.2.6.1 Doors and Locks
8.2.6.2 Intrusion Detection
Exercises
Notes
Bibliography
Chapter 9: Security Risk Analysis
9.1 Obtaining Measurement Data for Security Risk Analysis
9.2 Qualitative Security Risk Analysis Techniques
9.2.1 Qualitative Security Risk Analysis Advantages
9.2.2 Qualitative Security Risk Analysis Disadvantages
9.3 Quantitative Security Risk Analysis Techniques
9.3.1 Classic Quantitative Security Risk Assessment Formulas
9.3.2 Estimation
9.3.3 Probability Distributions
9.3.4 Monte Carlo Simulation
9.3.4.1 Ransomware Example—Monte Carlo Simulation
9.3.4.2 Building Monte Carlo Simulation Models
9.3.4.3 Quantitative Analysis Advantages
9.3.4.4 Quantitative Analysis Disadvantages
9.4 Summarizing Security Risk Analysis
9.4.1 Team Review of Security Risk Summary
9.4.2 Deriving Overall Security Risk
9.4.3 Prioritization of Security Risk
Exercises
Notes
Bibliography
Chapter 10: Security Risk Analysis Worked Examples
10.1 RIIOT FRAME
10.1.1 RIIOT FRAME—Qualitative
10.1.1.1 Qualitative Threat Assessment: (Phase 1)
10.1.1.2 Qualitative Vulnerability Assessment: (Phases 2A and 2B)
10.1.1.2.1 The RIIOT FRAME for Qualitative Vulnerability Review Approach
10.1.1.3 Qualitative Threat Occurrence Likelihood
10.1.1.4 Qualitative Expected Impact
10.1.1.4.1 Qualitative Impact Assessment (Phase 3)
10.1.1.4.2 Qualitative Vulnerability Assessment: Detective and Corrective Controls (Phase 2B)
10.1.1.5 Qualitative Expected Impact
10.1.1.6 Qualitative Security Risk Calculation
10.1.2 RIIOT FRAME—Quantitative
10.1.2.1 Obtaining Quantitative Data
10.1.2.1.1 Direct Threat Frequency or Impact Data
10.1.2.1.2 Indirect Threat Frequency or Impact Data
10.1.2.2 Quantitative Threat Occurrence Likelihood (Phase 1 and 2A)
10.1.2.3 Quantitative Expected Impact: Phase 3 and 2B
10.1.2.4 Quantitative Security Risk Calculation
10.1.3 Qualitative and Quantitative Comparison
Exercises
Notes
Chapter 11: Security Risk Mitigation
11.1 Defining Security Risk Appetite
11.2 Selecting Safeguards
11.2.1 Method 1: Missing Control Leads to Safeguard Selection
11.2.2 Method 2: People, Process, Technology
11.2.3 Method 3: The “Nine-Cell”
11.2.4 Method 4: Available Technology
11.3 Safeguard Solution Sets
11.3.1 Safeguard Cost Calculations
11.3.2 Safeguard Effectiveness
11.3.2.1 Justification through Judgment
11.3.2.2 Cost–Benefit Analysis
11.4 Establishing Security Risk Parameters
Exercises
Notes
Chapter 12: Security Risk Assessment Reporting
12.1 Cautions in Reporting
12.2 Pointers in Reporting
12.3 Report Structure
12.3.1 Executive-Level Report
12.3.2 Base Report
12.3.3 Appendices and Exhibits
12.4 Document Review Methodology: Create the Report Using a Top-Down Approach
12.4.1 Document Specification
12.4.2 Draft
12.4.3 Final
12.5 Assessment Brief
12.6 Action Plan
Exercises
Bibliography
Chapter 13: Security Risk Assessment Project Management
13.1 Project Planning
13.1.1 Project Definition
13.1.2 Project Planning Details
13.1.2.1 Project Phases and Activities
13.1.2.2 Phases and Activities Scheduling
13.1.2.3 Allocating Hours to Activities
13.1.3 Project Resources
13.1.3.1 Objectivity vs. Independence
13.1.3.2 Internal vs. External Team Members
13.1.3.3 Skills Required
13.1.3.3.1 Specific Security Risk Assessment Skills
13.1.3.3.2 Certifications
13.1.3.3.3 General Consulting Skills
13.1.3.3.3.1 Criticisms of Consultants
13.1.3.3.3.2 Overcoming Critics
13.1.3.3.3.3 Conflict of Interest
13.1.3.3.4 General Writing Skills
13.2 Project Tracking
13.2.1 Hours Tracking
13.2.1.1 Calendar Time Tracking
13.2.2 Project Progress Tracking
13.3 Taking Corrective Measures
13.3.1 Obtaining More Resources
13.3.2 Using Management Reserve
13.4 Project Status Reporting
13.4.1 Report Detail
13.4.2 Report Frequency
13.4.3 Status Report Content
13.5 Project Conclusion and Wrap-Up
13.5.1 Eliminating “Scope Creep”
13.5.2 Eliminating Project Run-On
Exercises
Notes
Bibliography
Chapter 14: Security Risk Assessment Approaches
14.1 Security Risk Assessment Methods
14.1.1 NIST Guide for Conducting Risk Assessments (NIST SP 800-30)
14.1.2 OCTAVE
14.1.2.1 OCTAVE (Original)
14.1.2.2 OCTAVE-S
14.1.2.3 OCTAVE-Allegro
14.1.3 Information Security Assessment Methodology 2 (IRAM2)
14.1.4 Factor Analysis of Information Risk (FAIR): Basic Risk Assessment Guide (BRAG)
14.1.5 Factor Analysis of Information Risk (FAIR): Quantitative
14.1.6 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Qualitative
14.1.7 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Quantitative
14.2 Security Risk Assessment Frameworks
Exercises
Bibliography
Index

📜 SIMILAR VOLUMES

The Security Risk Assessment Handbook: A
📁 The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments
✍ Douglas J. Landoll, Douglas Landoll 📂 Library 📅 2005 🏛 Auerbach Publications 🌐 English

Dear Mr. Doug Landoll, I have to give you Kudo's on your book. I just bought it and its awesome!!!! There is a section that is so well written regarding the reporting structure of security and how successful the program will be based on InfoSec placement and support. I've never seen it written so w

The Security Risk Assessment Handbook: A
📁 The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition
✍ Douglas Landoll 📂 Library 📅 2011 🏛 CRC Press 🌐 English

Conducted properly, information security risk assessments provide managers with the feedback needed to understand threats to corporate assets, determine vulnerabilities of current controls, and select appropriate safeguards. Performed incorrectly, they can provide the false sense of security that al

The Security Risk Assessment Handbook
📁 The Security Risk Assessment Handbook
✍ Douglas J. Landoll, Douglas Landoll 📂 Library 📅 2005 🏛 Auerbach Publications 🌐 English

The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments provides detailed insight into precisely how to conduct an information security risk assessment. Designed for security professionals and their customers who want a more in-depth understanding of the risk

The Security Risk Handbook: Assess, Surv
📁 The Security Risk Handbook: Assess, Survey, Audit
✍ Charles Swanson 📂 Library 📅 2023 🏛 Routledge 🌐 English

The Security Risk Handbook assists businesses that need to be able to carry out effective security risk assessments, security surveys, and security audits. It provides guidelines and standardised detailed processes and procedures for carrying out all three stages of the security journey: assess, sur

Strategic Security Management: A Risk As
📁 Strategic Security Management: A Risk Assessment Guide for Decision Makers
✍ Karim Vellani 📂 Library 📅 2006 🌐 English

Strategic Security Management supports data driven security that is measurable, quantifiable and practical. Written for security professionals and other professionals responsible for making security decisions as well as for security management and criminal justice students, this text provides a fre

Strategic Security Management: A Risk As
📁 Strategic Security Management: A Risk Assessment Guide for Decision Makers
✍ Karim Vellani 📂 Library 📅 2019 🏛 CRC Press 🌐 English

<strong>Strategic Security Management, Second Edition</strong> provides security leadership and decision-makers with a fresh perspective on threat, vulnerability, and risk assessment. The book offers a framework to look at applying security analysis and theory into practice for effective security pr