Information Security Risk Analysis, Second EditionThe risk management process supports executive decision-making, allowing managers and owners to perform their fiduciary responsibility of protecting the assets of their enterprises. This crucial process should not be a long, drawn-out affair. To be effective, it must be done quickly and efficiently. Information Security Risk Analysis, Second Edition enables CIOs, CSOs, and MIS managers to understand when, why, and how risk assessments and analyses can be conducted effectively. This book discusses the principle of risk management and its three key elements: risk analysis, risk assessment, and vulnerability assessment. It examines the differences between quantitative and qualitative risk assessment, and details how various types of qualitative risk assessment can be applied to the assessment process. The text offers a thorough discussion of recent changes to FRAAP and the need to develop a pre-screening method for risk assessment and business impact analysis. |
Contents
Introduction | 1 |
11 Frequently Asked Questions | 2 |
112 When Should a Risk Analysis Be Conducted? | 3 |
114 Who within the Organization Should Conduct the Risk Analysis and Risk Assessment? | 4 |
117 What Can the Results of a Risk Management Tell an Organization? | 5 |
12 Conclusion | 6 |
Risk Management 21 Overview | 7 |
22 Risk Management as Part of the Business Process | 8 |
63 Why the FRAAP Was Created | 131 |
64 Introducing the FRAAP to Your Organization | 132 |
641 Awareness Program Overview | 133 |
642 Introducing the FRAAP | 134 |
643 Facilitation Skills | 136 |
6432 Lead | 137 |
6436 Support | 138 |
6439 Solve Problems | 139 |
23 Employee Roles and Responsibilities | 10 |
24 Information Security Life Cycle | 11 |
25 Risk Analysis Process | 15 |
26 Risk Assessment | 16 |
Threat Identification | 18 |
Determine Probability of Occurrence | 19 |
Determine the Impact of the Threat | 24 |
Controls Recommended | 25 |
Documentation | 27 |
28 Risk Mitigation | 38 |
29 Final Thoughts | 39 |
Risk Assessment Process 31 Introduction | 41 |
33 Information Is an Asset | 42 |
34 Risk Assessment Methodology | 44 |
341 Threat Identification | 45 |
3411 Elements of Threats | 46 |
3412 Threat Occurrence Rates | 48 |
3413 Risk Level Determination | 50 |
3414 Controls and Safeguards | 52 |
3415 CostBenefit Analysis | 74 |
Quantitative versus Qualitative Risk Assessment 41 Introduction | 77 |
42 Quantitative and Qualitative Pros and Cons | 79 |
Develop a Scope Statement | 81 |
Identify Threats | 84 |
Threat Impact | 90 |
Risk Factor Determination | 92 |
Identify Safeguards and Controls | 93 |
CostBenefit Analysis | 96 |
Risk Assessment Report | 97 |
4311 Summary | 99 |
Asset Valuation BIA | 101 |
Risk Evaluation | 102 |
Risk Management | 107 |
444 Summary | 108 |
453 ISRA Matrix | 109 |
455 ThreatBased Controls | 111 |
456 Documentation | 112 |
457 OutofControl Process | 113 |
46 Conclusion | 114 |
Other Forms of Qualitative Risk Assessment 51 Introduction | 115 |
52 Hazard Impact Analysis | 116 |
522 Paralysis by Analysis | 119 |
53 Questionnaires | 120 |
531 Risk Assessment Questionnaire Process | 121 |
532 Summary | 124 |
55 Conclusion | 125 |
Facilitated Risk Analysis and Assessment Process FRAAP 61 Introduction | 129 |
64313 Do Not Lecture Listen and Get the Team Involved | 140 |
64318 Adhere to Time Frames and Be Punctual | 141 |
644 Session Agreements | 143 |
645 The FRAAP Team | 144 |
646 Prescreening | 147 |
6462 Prescreening Example 2 | 153 |
6463 Prescreening Example 3 | 155 |
6471 PreFRAAP Meeting Process | 159 |
6472 PreFRAAP Summary | 165 |
6481 The FRAAP Session Stage 1 64811 Overview | 166 |
64813 The FRAAP Threat Identification | 168 |
64814 FRAAP Session Risk Level Established | 171 |
64815 FRAAP Control Selection | 173 |
6482 The FRAAP Session Stage 2 | 182 |
6483 FRAAP Session Summary | 183 |
649 The PostFRAAP | 186 |
6492 FRAAP Management Summary Report | 190 |
6493 CrossReference Report | 194 |
6494 Summary | 203 |
65 Conclusion | 204 |
Variations on the FRAAP 71 Overview | 205 |
721 The Infrastructure FRAAP | 206 |
7211 Infrastructure FRAAP Summary | 207 |
7221 Overview | 212 |
723 Other Variations | 213 |
7233 Variation Example 3 | 218 |
73 Conclusion | 221 |
Mapping Controls 81 Controls Overview | 223 |
82 Creating Your Controls List | 224 |
822 Control Requirements Considerations | 226 |
83 Controls List Examples | 227 |
832 Controls List by Information Security Layer | 228 |
833 Controls List by Information Technology Organization | 229 |
835 Mapping ISO 77799 and HIPAA | 236 |
837 Controls List Mapping ISO 17799 GLBA and SarbanesOxley | 245 |
839 Controls List Mapping ISO 17799 HIPAA GLBA SOX and FSGCA | 249 |
8311 Controls List Mapping ISO 17799 and CobiT | 250 |
8312 Other Sources | 261 |
Business Impact Analysis BIA 91 Overview | 289 |
92 Creating a BIA Process | 290 |
Conclusion | 297 |
Sample Risk Assessment Management Summary Report | 299 |
Terms and Definitions | 325 |
331 | |
335 | |
Common terms and phrases
8.12 Controls List Access controls lists application Asset classification asset under review audit Avaliability backup baseline business continuity planning business impact analysis business process business unit Category CobiT Communications and operations compliance Computer Security conducted Confidentiality control Access control Control Number cost cost-benefit analysis definitions determine disclosure discussed document elements employees enterprise EPHI establish examine existing controls facilitator FISCAM FRAAP session GLBA hardware HIPAA identify threats Implement controls Implement procedures Implement standards information security information security forum Integrity ISO 17799 Section List Mapping ISO List Using NIST loss Mapping ISO 17799 mission monitor NIST SP occur OMB Circular A-130 organization organization's Organizational security owner passwords policies and procedures protection qualitative risk assessment responsible risk analysis process risk assessment process risk level risk management safeguards Security controls security policy selected sensitive service level agreements specific Table 8.12 Controls team members unauthorized access Worksheet