The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition by Douglas Landoll ISBN 9781032041650 103204165X

The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition by Douglas Landoll  – Ebook PDF Instant Download/Delivery: 9781032041650 ,103204165X
Full download The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition after payment

Product details:

ISBN 10: 103204165X
ISBN 13: 9781032041650
Author: Douglas Landoll

The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition Table of contents:

1 Introduction

1.1 The Role of the Chief Information Security Officer

1.1.1 Audit as a Driver for Security Initiatives

1.1.2 Technology as a Driver for Security Initiatives

1.1.3 Compliance as a Driver for Security Initiatives

1.1.4 Security Risk as a Driver for Security Initiatives

1.2 Ensuring a Quality Information Security Risk Assessment

1.3 Security Risk Assessment

1.3.1 The Role of the Security Risk Assessment

1.3.2 Definition of a Security Risk Assessment

1.3.3 The Need for a Security Risk Assessment

1.3.3.1 Checks and Balances

1.3.3.2 Periodic Review

1.3.3.3 Risk-Based Spending

1.3.3.4 Requirement

1.3.4 Security Risk Assessment Secondary Benefits

1.4 Related Activities

1.4.1 Gap Assessment

1.4.2 Compliance Audit

1.4.3 Security Audit

1.4.4 Vulnerability Scanning

1.4.5 Penetration Testing

1.4.6 Ad Hoc Testing

1.4.7 Social Engineering

1.4.8 War Dialing

1.5 The Need for This Book

1.6 Who Is This Book For?

Exercises

Note

Bibliography

2 Information Security Risk Assessment Basics

2.1 Phase 1: Project Definition

2.2 Phase 2: Project Preparation

2.3 Phase 3: Data Gathering

2.4 Phase 4: Risk Analysis

2.4.1 Assets

2.4.2 Threat Agents and Threat Actions

2.4.2.1 Threat Agents

2.4.2.2 Threat Actions

2.4.3 Vulnerabilities

2.4.4 Security Risk

2.5 Phase 5: Risk Mitigation

2.5.1 Safeguards

2.5.2 Residual Security Risk

2.6 Phase 6: Risk Reporting and Resolution

2.6.1 Risk Resolution

Exercises

Notes

Bibliography

3 Project Definition

3.1 Ensuring Project Success

3.1.1 Success Definition

3.1.1.1 Customer Satisfaction

3.1.1.2 Identifying the Customer

3.1.1.3 Quality of Work

3.1.1.3.1 Quality Aspects

3.1.1.4 Completion within Budget

3.1.2 Setting the Budget

3.1.3 Determining the Objective

3.1.4 Limiting the Scope

3.1.4.1 Under-scoping

3.1.4.2 Over-scoping

3.1.4.3 Security Controls

3.1.4.3.1 Administrative Security Controls

3.1.4.3.2 Physical Security Controls

3.1.4.3.3 Technical Security Controls

3.1.4.4 Assets

3.1.4.4.1 Tangible Assets

3.1.4.4.2 Intangible Assets

3.1.4.5 Reasonableness in Limiting the Scope

3.1.5 Identifying System Boundaries

3.1.5.1 Physical Boundary

3.1.5.2 Logical Boundaries

3.1.6 Specifying the Rigor

3.1.7 Sample Scope Statements

3.2 Project Description

3.2.1 Project Variables

3.2.2 Statement of Work (SOW)

3.2.2.1 Specifying the Service Description

3.2.2.2 Scope of Security Controls

3.2.2.3 Specifying Deliverables

3.2.2.4 Contract Type

3.2.2.4.1 Time and Materials Contract

3.2.2.4.2 Firm-Fixed-Price Contract

3.2.2.5 Contract Terms

3.2.2.5.1 Determining Needs

3.2.2.5.2 Determining Next-Best Alternative

3.2.2.5.3 Negotiating Project Membership

Exercises

Bibliography

4 Security Risk Assessment Preparation

4.1 Introduce the Team

4.1.1 Introductory Letter

4.1.2 Project Kickoff Call

4.1.3 Pre-Assessment Briefing

4.1.4 Obtain Proper Permission

4.1.4.1 Policies Required

4.1.4.2 Permission Required

4.1.4.3 Scope of Permission

4.1.4.4 Accounts Required

4.2 Review Business Mission

4.2.1 What Is a Business Mission?

4.2.2 Obtaining Business Mission Information

4.3 Identify Critical Systems

4.3.1 Determining Criticality

4.3.1.1 Determine Protection Requirements

4.3.1.2 Determine Mission Criticality

4.3.1.3 Define Critical Systems

4.4 Identify Asset Classes

4.4.1 Checklists and Judgment

4.4.2 Asset Sensitivity/Criticality Classification

4.4.2.1 Approach 1: Find Asset Classification Information Elsewhere

4.4.2.2 Approach 2: Create Asset Classification Information

4.4.2.3 Approach 3: Determine Asset Criticality

4.4.3 Asset Valuation

4.4.3.1 Approach 1: Binary Asset Valuation

4.4.3.2 Approach 2: Classification-Based Asset Valuation

4.4.3.3 Approach 3: Rank-Based Asset Valuation

4.4.3.4 Approach 4: Consensus Asset Valuation

4.4.3.5 Approaches 5–7: Accounting Valuation Approaches

4.4.3.5.1 Approach 5: Cost Valuation

4.4.3.5.2 Approach 6: Market Valuation

4.4.3.5.3 Approach 7: Income Valuation

4.5 Identifying Threats

4.5.1 Threat Components

4.5.1.1 Threat Agent

4.5.1.2 Threat Action

4.5.1.3 Threat Agent and Threat Action Pairing

4.5.2 Threat Statements

4.5.3 Validating Threat Statements

4.5.3.1 Factors Affecting Threat Statement Validity

4.6 Determine Expected Controls

Exercises

Note

Bibliography

5 Data Gathering

5.1 Security Control Representation

5.1.1 Data Gathering on the Population

5.1.2 Data Gathering on a Sample

5.1.2.1 Determining Sample Size

5.1.2.2 Sampling Objectives

5.1.2.3 Sampling Types

5.1.3 Use of Sampling in Security Testing

5.1.3.1 Approach 1: Representative Testing

5.1.3.2 Approach 2: Selected Sampling

5.1.3.3 Approach 3: Random Sampling

5.2 Evidence Depth

5.3 The RIIOT Method of Data Gathering

5.3.1 RIIOT Method Benefits

5.3.2 RIIOT Method Approaches

5.3.2.1 Review Documents or Designs

5.3.2.1.1 The Importance of Security Documents

5.3.2.1.2 Documents to Request

5.3.2.1.3 Policy Review within Regulated Industries

5.3.2.1.4 RIIOT Document Review Technique

5.3.2.2 Interview Key Personnel

5.3.2.2.1 Selecting the Interviewer

5.3.2.2.2 Interview Requests

5.3.2.2.3 Preparing for the Interview

5.3.2.2.4 Conducting the Interview

5.3.2.2.5 Documenting the Interview

5.3.2.2.6 Flexibility in the Process

5.3.2.2.7 Questionnaire Preparation

5.3.2.3 Inspect Security Controls

5.3.2.4 Observe Personnel Behavior

5.3.2.4.1 Observation Guidance

5.3.2.5 Test Security Controls

5.3.2.5.1 Security Testing Documentation

5.3.2.5.2 Coverage of Testing

5.3.2.5.3 Types of Security Testing

5.3.2.5.3.1 Information Accuracy Testing

5.3.2.5.3.2 Vulnerability Testing

5.3.2.5.3.3 Penetration Testing

5.3.3 Using the RIIOT Method

5.3.3.1 Determining Appropriate RIIOT Approaches

5.3.3.2 Assigning RIIOT Activities

5.3.3.3 RIIOT Applied to Administrative, Physical, and Technical Controls

Exercises

Bibliography

6 Administrative Data Gathering

6.1 Administrative Threats and Safeguards

6.1.1 Human Resources

6.1.1.1 Human Resource Threats

6.1.1.2 Human Resource Safeguards

6.1.1.2.1 Recruitment

6.1.1.2.2 Employment

6.1.1.2.3 Termination

6.1.2 Organizational Structure

6.1.2.1 Organizational Structure Threats

6.1.2.2 Organizational Structure Safeguards

6.1.2.2.1 Senior Management

6.1.2.2.2 Security Program

6.1.2.2.3 Security Operations

6.1.2.2.4 Audit

6.1.3 Information Control

6.1.3.1 Information Control Threats

6.1.3.2 Information Control Safeguards

6.1.3.2.1 Sensitive Information

6.1.3.2.2 User Accounts

6.1.3.2.3 User Error

6.1.3.2.4 Asset Control

6.1.4 Business Continuity

6.1.4.1 Business Continuity Threats

6.1.4.2 Business Continuity Safeguards

6.1.4.2.1 Contingency Planning

6.1.4.2.2 Incident Response Program

6.1.5 System Security

6.1.5.1 System Security Threats

6.1.5.2 Organizational Structure Safeguards

6.1.5.2.1 System Controls

6.1.5.2.2 Application Security

6.1.5.2.3 Configuration Management

6.1.5.2.4 Third-Party Access

6.2 The RIIOT Method: Administrative Data Gathering

6.2.1 Determining Appropriate RIIOT Approaches for Administrative Controls

6.2.2 Review Documents Regarding Administrative Controls

6.2.2.1 Documents to Review

6.2.2.2 Review Documents for Clarity, Consistency, and Completeness

6.2.2.3 Review Documents for Expected Elements

6.2.2.3.1 Reviewing Information Security Policies

6.2.2.3.1.1 Senior Management Statement

6.2.2.3.1.2 Acceptable-Use Policy

6.2.2.3.1.3 Access Control Policy

6.2.2.3.1.4 Authentication and Account Management Policy

6.2.2.3.1.5 Backup and Restoration Policy

6.2.2.3.1.6 Cryptographic Control Policy

6.2.2.3.1.7 Data Classification, Handling and Retention Policy

6.2.2.3.1.8 Media Protection Policy

6.2.2.3.1.9 Mobile Device Policy

6.2.2.3.1.10 Physical Security/Environmental Controls Policy

6.2.2.3.1.11 Privacy Program Policy

6.2.2.3.1.12 Privacy—Web Privacy Notice

6.2.2.3.1.13 Systems and Communications Security Policy

6.2.2.4 Reviewing Information Security Plans, Processes, and Procedures

6.2.2.4.1.1 Business Contingency Plan

6.2.2.4.1.2 Change Control Procedures

6.2.2.4.1.3 Disaster Recovery Plan

6.2.2.4.1.4 Incident Response Plan

6.2.2.4.1.5 Information Security Program Procedures

6.2.2.4.1.6 Other Operational Procedures

6.2.2.4.1.7 Security Awareness and Training Program

6.2.2.4.1.8 Software Development Life Cycle Process

6.2.2.4.1.9 Termination Procedures

6.2.2.4.1.10 Vendor Security Risk Management Program

6.2.2.5 Security Work Product Review

6.2.3 Interview Personnel Regarding Administrative Controls

6.2.3.1 Administrative Interview Planning

6.2.3.2 Administrative Interview Topics

6.2.3.3 Administrative Interview Subjects

6.2.3.4 Administrative Interview Questions

6.2.3.4.1 Incident Response Interview Questions

6.2.3.4.2 Security Operations Interview Questions

6.2.3.4.3 Security Program Interview Questions

6.2.4 Inspect Administrative Security Controls

6.2.4.1 Inspection—Listing Administrative Security Controls

6.2.4.2 Inspection—Verify Information Gathered

6.2.4.3 Inspection—Determine Vulnerabilities

6.2.4.4 Inspection—Document and Review Findings

6.2.4.5 Inspection—The Security Organization

6.2.4.5.1 Organizational Structure

6.2.4.5.2 Budget and Resources

6.2.4.5.3 Roles and Responsibilities

6.2.5 Observe Administrative Behavior

6.2.6 Test Administrative Security Controls

6.2.6.1 Information Labeling Testing

6.2.6.2 Media Destruction Testing

6.2.6.2.1 Approach 1: TRASHINT

6.2.6.2.2 Approach 2: Sanitization Test

6.2.6.3 Account and Access Control Procedures Testing

6.2.6.3.1 Approach 1: Process Test

6.2.6.3.2 Approach 2: Process Audit—Sample

6.2.6.3.3 Approach 3: Process Audit—Complete

6.2.6.4 Outsourcing and Information Exchange

6.2.6.4.1 Outsourcing Review

6.2.6.4.1.1 Approach 1: Review Contracts

6.2.6.4.1.2 Approach 2: Review Available Assessments

6.2.6.4.1.3 Approach 3: Review Questionnaire Responses

Exercises

Bibliography

7 Technical Data Gathering

7.1 Technical Threats and Safeguards

7.1.1 Information Control

7.1.1.1 Information Control Threats

7.1.1.2 Information Control Safeguards

7.1.1.2.1 User Error

7.1.1.2.2 Sensitive and Critical Information

7.1.1.2.3 User Accounts

7.1.2 Business Continuity

7.1.2.1 Business Continuity Threats

7.1.2.2 Business Continuity Safeguards

7.1.2.2.1 Contingency Planning

7.1.2.2.2 Incident Response Program

7.1.3 System Security

7.1.3.1 System Security Threats

7.1.3.2 System Security Safeguards

7.1.3.2.1 System Controls

7.1.3.2.2 Application Security

7.1.3.2.3 Change Management

7.1.4 Secure Architecture

7.1.4.1 Secure Architecture Threats

7.1.4.2 Secure Architecture Safeguards

7.1.4.2.1 Topology

7.1.4.2.2 Transmission

7.1.4.2.3 Perimeter Network

7.1.5 Security Components

7.1.5.1 Security Component Threats

7.1.5.2 Security Component Safeguards

7.1.5.2.1 Access Control

7.1.5.2.2 Continuous Monitoring

7.1.6 Secure Configuration

7.1.6.1 Secure Configuration Threats

7.1.6.2 Secure Configuration Safeguards

7.1.6.2.1 System Settings

7.1.7 Data Security

7.1.7.1 Data Security Threats

7.1.7.2 Data Security Safeguards

7.1.7.2.1 Storage

7.1.7.2.2 Transit

7.2 The RIIOT Method: Technical Data Gathering

7.2.1 Determining Appropriate RIIOT Approaches for Technical Controls

7.2.2 Review Documents Regarding Technical Controls

7.2.2.1 Technical Documents to Request

7.2.2.2 Review Technical Documents for Information

7.2.2.3 Review Documents for Clarity, Consistency, and Completeness

7.2.2.4 Review Documents for Expected Elements

7.2.2.5 Reviewing System Information Documents

7.2.2.5.1 Network Diagram

7.2.2.6 Reviewing Previous Security Assessment Documents

7.2.2.6.1 Vulnerability Scan Report

7.2.2.6.2 Penetration Test Report

7.2.2.6.3 Security Risk Assessment Report

7.2.2.6.4 Information Technology/Security Audit Report

7.2.2.7 Reviewing Technical Manuals

7.2.2.8 Review Technical Security Designs

7.2.2.8.1 Determine Security Requirements

7.2.2.9 Basic Security Design Principles

7.2.2.9.1 Common Areas for Investigation

7.2.3 Interview Personnel Regarding Technical Controls

7.2.3.1 Technical Interview Topics

7.2.3.2 Technical Interview Subjects

7.2.3.3 Technical Interview Questions

7.2.3.3.1 Security Testing and Review Interview Questions

7.2.3.3.2 Security Components Interview Questions

7.2.3.3.3 Security Operations and Procedures Interview Questions

7.2.4 Inspect Technical Security Controls

7.2.4.1 List Technical Security Controls

7.2.4.2 Verify Information Gathered

7.2.4.2.1 Audit Logs

7.2.4.2.2 Identity Management System

7.2.4.2.3 Data Backup Technologies

7.2.4.2.4 Vulnerability Scanning Tools

7.2.4.2.5 Penetration Testing Tools

7.2.4.2.6 Patch Management System

7.2.4.2.7 Web and E-mail Filtering Tools

7.2.4.2.8 Configuration Management

7.2.4.2.9 Firewalls

7.2.4.2.10 Intrusion Detection Systems

7.2.4.2.11 System Hardening Guidance

7.2.4.2.12 Operating Systems and Applications

7.2.4.2.12.1 Sources of Checklists

7.2.4.2.12.2 Use of Checklists

7.2.4.3 Determine Vulnerabilities

7.2.4.4 Document and Review Findings

7.2.5 Observe Technical Personnel Behavior

7.2.6 Test Technical Security Controls

7.2.6.1 Monitoring Technology

7.2.6.2 Audit Logs

7.2.6.3 Anti-Virus Systems

7.2.6.4 Automated Password Policies

7.2.6.5 Virtual Private Network

7.2.6.6 Firewalls, IDS, and System Hardening

7.2.6.7 Vulnerability Scanning

7.2.6.7.1 Stages of Vulnerability Scanning

7.2.6.7.2 Vulnerability Scanning Tools

7.2.6.7.2.1 Network Mapping

7.2.6.7.2.2 Vulnerability Scanners

7.2.6.7.2.3 Virus and Pest Scanning

7.2.6.7.2.4 Application Scanners

7.2.6.8 Penetration Testing

7.2.6.9 Testing Specific Technology

7.2.6.9.1 Modem Access Testing

7.2.6.9.2 Wireless Network Testing

7.2.6.9.3 PBX Testing

7.2.6.9.4 VOIP Testing

Exercises

Notes

Bibliography

8 Physical Data Gathering

8.1 Physical Threats and Safeguards

8.1.1 Utilities and Interior Climate

8.1.1.1 Utility and Interior Climate Threats

8.1.1.2 Utility and Interior Climate Safeguards

8.1.1.2.1 Power Utility

8.1.1.2.1.1 Power Safeguards

8.1.1.2.2 Cooling Interior Climate

8.1.1.2.2.1 Cooling Safeguards

8.1.1.2.3 Humidity

8.1.1.2.3.1 Humidity Safeguards

8.1.2 Fire

8.1.2.1 Fire Threats

8.1.2.2 Fire Safeguards

8.1.2.2.1 Fire Prevention

8.1.2.2.1.1 Fire Prevention Safeguards

8.1.2.2.2 Fire Detection

8.1.2.2.2.1 Fire Detection Safeguards

8.1.2.2.3 Fire Alarm

8.1.2.2.3.1 Fire Alarm Safeguards

8.1.2.2.3.1.1 Fire Alarm Installation Types

8.1.2.2.4 Fire Suppression

8.1.2.3 Fire Suppression Safeguards

8.1.2.3.1 Stationary Suppression Systems

8.1.3 Flood and Water Damage

8.1.3.1 Flood and Water Threats

8.1.3.2 Flood and Water Safeguards

8.1.3.2.1 Flood and Water Exposure

8.1.3.2.1.1 Flood and Water Exposure Safeguards

8.1.3.2.2 Flood and Water Monitoring

8.1.3.2.2.1 Flood and Water Exposure Safeguards

8.1.3.2.3 Flood and Water Response

8.1.3.2.3.1 Flood and Water Response Safeguards

8.1.4 Other Natural Disasters

8.1.4.1 Other Natural Disaster Threats

8.1.4.2 Other Natural Disaster Safeguards

8.1.4.2.1 General Natural Disasters

8.1.4.2.1.1 Natural Disasters—General Protection Safeguards

8.1.4.2.2 Lightning

8.1.4.2.2.1 Lightning Safeguards

8.1.4.2.3 Earthquake

8.1.4.2.3.1 Earthquake Safeguards

8.1.4.2.4 Volcano

8.1.4.2.4.1 Volcano Safeguards

8.1.4.2.5 Hurricane

8.1.4.2.5.1 Hurricane Safeguards

8.1.5 Workforce

8.1.5.1 Workforce Threats

8.1.5.2 Workforce Safeguards

8.1.5.2.1 Personnel Screening

8.1.5.2.2 Personnel Termination

8.1.6 Perimeter Protections

8.1.6.1 Perimeter Protection Threats

8.1.6.2 Perimeter Protection Safeguards

8.1.6.2.1 Barriers

8.1.6.2.2 Lighting

8.1.6.2.3 Physical Intrusion Detection

8.1.6.2.3.1 Exterior Sensors

8.1.6.2.3.2 Interior Sensors

8.1.6.2.3.3 Video Surveillance Systems

8.1.6.2.3.3.1 Video Surveillance System Capabilities

8.1.6.2.4 Physical Access Control

8.1.6.2.4.1 Badges

8.1.6.2.4.2 Card Readers

8.1.6.2.4.3 Biometrics

8.1.6.2.4.4 Visitor Control

8.1.6.2.4.5 Property Removal Prevention

8.2 The RIIOT Method: Physical Data Gathering

8.2.1 Determining Appropriate RIIOT Approaches for Physical Controls

8.2.2 Review Documents Regarding Physical Controls

8.2.2.1 Physical Documents to Request

8.2.2.2 Review Physical Documents for Information

8.2.2.3 Review Documents for Currency and Capability

8.2.2.4 Review Documents for Expected Elements

8.2.2.5 Reviewing Physical Safeguard Information Documents

8.2.2.6 Reviewing Previous Physical Assessment Documents

8.2.2.7 Reviewing Building and Site Architecture Documents

8.2.2.8 Reviewing Procedures and Procedure Work Products

8.2.3 Interview Physical Personnel

8.2.3.1 Physical Security Interview Topics

8.2.3.2 Physical Security Interview Subjects

8.2.3.3 Physical Security Interview Questions

8.2.3.3.1 Utilities Interview Questions

8.2.3.3.2 Physical Security Procedures Interview Questions

8.2.4 Inspect Physical Security Controls

8.2.4.1 Listing Physical Security Controls

8.2.4.2 Verify Information Gathered

8.2.4.2.1 Logs, Records, and Audit Files

8.2.4.2.2 Perimeter Security

8.2.4.3 Determine Physical Vulnerabilities

8.2.4.4 Document and Review Physical Findings

8.2.5 Observe Physical Personnel Behavior

8.2.6 Test Physical Security Safeguards

8.2.6.1 Doors and Locks

8.2.6.2 Intrusion Detection

Exercises

Notes

Bibliography

9 Security Risk Analysis

9.1 Obtaining Measurement Data for Security Risk Analysis

9.2 Qualitative Security Risk Analysis Techniques

9.2.1 Qualitative Security Risk Analysis Advantages

9.2.2 Qualitative Security Risk Analysis Disadvantages

9.3 Quantitative Security Risk Analysis Techniques

9.3.1 Classic Quantitative Security Risk Assessment Formulas

9.3.2 Estimation

9.3.3 Probability Distributions

9.3.4 Monte Carlo Simulation

9.3.4.1 Ransomware Example—Monte Carlo Simulation

9.3.4.2 Building Monte Carlo Simulation Models

9.3.4.3 Quantitative Analysis Advantages

9.3.4.4 Quantitative Analysis Disadvantages

9.4 Summarizing Security Risk Analysis

9.4.1 Team Review of Security Risk Summary

9.4.2 Deriving Overall Security Risk

9.4.3 Prioritization of Security Risk

Exercises

Notes

Bibliography

10 Security Risk Analysis Worked Examples

10.1 RIIOT FRAME

10.1.1 RIIOT FRAME—Qualitative

10.1.1.1 Qualitative Threat Assessment: (Phase 1)

10.1.1.2 Qualitative Vulnerability Assessment: (Phases 2A and 2B)

10.1.1.2.1 The RIIOT FRAME for Qualitative Vulnerability Review Approach

10.1.1.3 Qualitative Threat Occurrence Likelihood

10.1.1.4 Qualitative Expected Impact

10.1.1.4.1 Qualitative Impact Assessment (Phase 3)

10.1.1.4.2 Qualitative Vulnerability Assessment: Detective and Corrective Controls (Phase 2B)

10.1.1.5 Qualitative Expected Impact

10.1.1.6 Qualitative Security Risk Calculation

10.1.2 RIIOT FRAME—Quantitative

10.1.2.1 Obtaining Quantitative Data

10.1.2.1.1 Direct Threat Frequency or Impact Data

10.1.2.1.2 Indirect Threat Frequency or Impact Data

10.1.2.2 Quantitative Threat Occurrence Likelihood (Phase 1 and 2A)

10.1.2.3 Quantitative Expected Impact: Phase 3 and 2B

10.1.2.4 Quantitative Security Risk Calculation

10.1.3 Qualitative and Quantitative Comparison

Exercises

Notes

11 Security Risk Mitigation

11.1 Defining Security Risk Appetite

11.2 Selecting Safeguards

11.2.1 Method 1: Missing Control Leads to Safeguard Selection

11.2.2 Method 2: People, Process, Technology

11.2.3 Method 3: The “Nine-Cell”

11.2.4 Method 4: Available Technology

11.3 Safeguard Solution Sets

11.3.1 Safeguard Cost Calculations

11.3.2 Safeguard Effectiveness

11.3.2.1 Justification through Judgment

11.3.2.2 Cost–Benefit Analysis

11.4 Establishing Security Risk Parameters

Exercises

Notes

12 Security Risk Assessment Reporting

12.1 Cautions in Reporting

12.2 Pointers in Reporting

12.3 Report Structure

12.3.1 Executive-Level Report

12.3.2 Base Report

12.3.3 Appendices and Exhibits

12.4 Document Review Methodology: Create the Report Using a Top-Down Approach

12.4.1 Document Specification

12.4.2 Draft

12.4.3 Final

12.5 Assessment Brief

12.6 Action Plan

Exercises

Bibliography

13 Security Risk Assessment Project Management

13.1 Project Planning

13.1.1 Project Definition

13.1.2 Project Planning Details

13.1.2.1 Project Phases and Activities

13.1.2.2 Phases and Activities Scheduling

13.1.2.3 Allocating Hours to Activities

13.1.3 Project Resources

13.1.3.1 Objectivity vs. Independence

13.1.3.2 Internal vs. External Team Members

13.1.3.3 Skills Required

13.1.3.3.1 Specific Security Risk Assessment Skills

13.1.3.3.2 Certifications

13.1.3.3.3 General Consulting Skills

13.1.3.3.3.1 Criticisms of Consultants

13.1.3.3.3.2 Overcoming Critics

13.1.3.3.3.3 Conflict of Interest

13.1.3.3.4 General Writing Skills

13.2 Project Tracking

13.2.1 Hours Tracking

13.2.1.1 Calendar Time Tracking

13.2.2 Project Progress Tracking

13.3 Taking Corrective Measures

13.3.1 Obtaining More Resources

13.3.2 Using Management Reserve

13.4 Project Status Reporting

13.4.1 Report Detail

13.4.2 Report Frequency

13.4.3 Status Report Content

13.5 Project Conclusion and Wrap-Up

13.5.1 Eliminating “Scope Creep”

13.5.2 Eliminating Project Run-On

Exercises

Notes

Bibliography

14 Security Risk Assessment Approaches

14.1 Security Risk Assessment Methods

14.1.1

14.1.2 OCTAVE

14.1.2.1 OCTAVE (Original)

14.1.2.2 OCTAVE-S

14.1.2.3 OCTAVE-Allegro

14.1.3 Information Security Assessment Methodology 2 (IRAM2)

14.1.4 Factor Analysis of Information Risk (FAIR): Basic Risk Assessment Guide (BRAG)

14.1.5 Factor Analysis of Information Risk (FAIR): Quantitative

14.1.6 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Qualitative

14.1.7 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Quantitative

14.2 Security Risk Assessment Frameworks

Exercises

Bibliography

Index

People also search for The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition:

    
what is a security risk assessment
    
security risk assessment example
    
types of security risk assessments
    
the security risk handbook
    
security risk assessment pdf

Tags:

Douglas Landoll,Security Risk Assessment,Performing Security,Risk Assessments