495 pages | 33 B/W Illus.
Conducted properly, information security risk assessments provide managers with the feedback needed to understand threats to corporate assets, determine vulnerabilities of current controls, and select appropriate safeguards. Performed incorrectly, they can provide the false sense of security that allows potential threats to develop into disastrous losses of proprietary information, capital, and corporate value.
Picking up where its bestselling predecessor left off, The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments, Second Edition gives you detailed instruction on how to conduct a risk assessment effectively and efficiently. Supplying wide-ranging coverage that includes security risk analysis, mitigation, and risk assessment reporting, this updated edition provides the tools needed to solicit and review the scope and rigor of risk assessment proposals with competence and confidence.
Trusted to assess security for leading organizations and government agencies, including the CIA, NSA, and NATO, Douglas Landoll unveils the little-known tips, tricks, and techniques used by savvy security professionals in the field. He details time-tested methods to help you:
The book includes charts, checklists, and sample reports to help you speed up the data gathering, analysis, and document development process. Walking you through the process of conducting an effective security assessment, it provides the tools and up-to-date understanding you need to select the security measures best suited to your organization.
… this book, now in its second edition, covers a lot of ground for its 450 or so pages: information security, physical and environmental exposures, personnel risk and business continuity. Its author, a one-time senior analyst at the NSA, is clearly highly experienced in managing very large-scale risk assessment exercises. … a valuable guide for those commissioning or planning risk assessment exercises.
— Michael Barwise, BSc, CEng, CITP, MBCS, in InfoSec Reviews, July 2011
The Need for an Information Security Program
Elements of an Information Security Program
Common Core Information Security Practices
Security Risk Assessment
The Need for This Book
Who Is This Book For?
Information Security Risk Assessment BasicsPhase 1: Project Definition
Phase 2: Project Preparation
Phase 3: Data Gathering
Phase 4: Risk Analysis
Phase 5: Risk Mitigation
Phase 6: Risk Reporting and Resolution
Ensuring Project Success
Security Risk Assessment PreparationIntroduce the Team
Review Business Mission
Identify Critical Systems
Determine Expected Controls
The RIIOT Method of Data Gathering
Administrative Data GatheringThreats and Safeguards
The RIIOT Method: Administrative Data Gathering
Technical Data GatheringTechnical Threats and Safeguards
The RIIOT Method: Technical Data Gathering
Physical Data GatheringPhysical Threats and Safeguards
The RIIOT Method: Physical Data Gathering
Security Risk AnalysisDetermining Security Risk
Creating Security Risk Statements
Team Review of Security Risk Statements
Security Risk MitigationSelecting Safeguards
Safeguard Solution Sets
Establishing Security Risk Parameters
Document Review Methodology: Create the Report Using a Top-Down Approach
Security Risk Assessment ReportingCautions in Reporting
Pointers in Reporting
Security Risk Assessment Project ManagementProject Planning
Taking Corrective Measures
Project Status Reporting
Project Conclusion and Wrap-Up
Security Risk Assessment ApproachesQuantitative vs. Qualitative Analysis Tools
Security Risk Assessment Methods