The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition by Douglas Landoll – Ebook PDF Instant Download/Delivery: 9781032041650 ,103204165X
Full download The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition after payment
Product details:
ISBN 10: 103204165X
ISBN 13: 9781032041650
Author: Douglas Landoll
The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition Table of contents:
1 Introduction
1.1 The Role of the Chief Information Security Officer
1.1.1 Audit as a Driver for Security Initiatives
1.1.2 Technology as a Driver for Security Initiatives
1.1.3 Compliance as a Driver for Security Initiatives
1.1.4 Security Risk as a Driver for Security Initiatives
1.2 Ensuring a Quality Information Security Risk Assessment
1.3 Security Risk Assessment
1.3.1 The Role of the Security Risk Assessment
1.3.2 Definition of a Security Risk Assessment
1.3.3 The Need for a Security Risk Assessment
1.3.3.1 Checks and Balances
1.3.3.2 Periodic Review
1.3.3.3 Risk-Based Spending
1.3.3.4 Requirement
1.3.4 Security Risk Assessment Secondary Benefits
1.4 Related Activities
1.4.1 Gap Assessment
1.4.2 Compliance Audit
1.4.3 Security Audit
1.4.4 Vulnerability Scanning
1.4.5 Penetration Testing
1.4.6 Ad Hoc Testing
1.4.7 Social Engineering
1.4.8 War Dialing
1.5 The Need for This Book
1.6 Who Is This Book For?
Exercises
Note
Bibliography
2 Information Security Risk Assessment Basics
2.1 Phase 1: Project Definition
2.2 Phase 2: Project Preparation
2.3 Phase 3: Data Gathering
2.4 Phase 4: Risk Analysis
2.4.1 Assets
2.4.2 Threat Agents and Threat Actions
2.4.2.1 Threat Agents
2.4.2.2 Threat Actions
2.4.3 Vulnerabilities
2.4.4 Security Risk
2.5 Phase 5: Risk Mitigation
2.5.1 Safeguards
2.5.2 Residual Security Risk
2.6 Phase 6: Risk Reporting and Resolution
2.6.1 Risk Resolution
Exercises
Notes
Bibliography
3 Project Definition
3.1 Ensuring Project Success
3.1.1 Success Definition
3.1.1.1 Customer Satisfaction
3.1.1.2 Identifying the Customer
3.1.1.3 Quality of Work
3.1.1.3.1 Quality Aspects
3.1.1.4 Completion within Budget
3.1.2 Setting the Budget
3.1.3 Determining the Objective
3.1.4 Limiting the Scope
3.1.4.1 Under-scoping
3.1.4.2 Over-scoping
3.1.4.3 Security Controls
3.1.4.3.1 Administrative Security Controls
3.1.4.3.2 Physical Security Controls
3.1.4.3.3 Technical Security Controls
3.1.4.4 Assets
3.1.4.4.1 Tangible Assets
3.1.4.4.2 Intangible Assets
3.1.4.5 Reasonableness in Limiting the Scope
3.1.5 Identifying System Boundaries
3.1.5.1 Physical Boundary
3.1.5.2 Logical Boundaries
3.1.6 Specifying the Rigor
3.1.7 Sample Scope Statements
3.2 Project Description
3.2.1 Project Variables
3.2.2 Statement of Work (SOW)
3.2.2.1 Specifying the Service Description
3.2.2.2 Scope of Security Controls
3.2.2.3 Specifying Deliverables
3.2.2.4 Contract Type
3.2.2.4.1 Time and Materials Contract
3.2.2.4.2 Firm-Fixed-Price Contract
3.2.2.5 Contract Terms
3.2.2.5.1 Determining Needs
3.2.2.5.2 Determining Next-Best Alternative
3.2.2.5.3 Negotiating Project Membership
Exercises
Bibliography
4 Security Risk Assessment Preparation
4.1 Introduce the Team
4.1.1 Introductory Letter
4.1.2 Project Kickoff Call
4.1.3 Pre-Assessment Briefing
4.1.4 Obtain Proper Permission
4.1.4.1 Policies Required
4.1.4.2 Permission Required
4.1.4.3 Scope of Permission
4.1.4.4 Accounts Required
4.2 Review Business Mission
4.2.1 What Is a Business Mission?
4.2.2 Obtaining Business Mission Information
4.3 Identify Critical Systems
4.3.1 Determining Criticality
4.3.1.1 Determine Protection Requirements
4.3.1.2 Determine Mission Criticality
4.3.1.3 Define Critical Systems
4.4 Identify Asset Classes
4.4.1 Checklists and Judgment
4.4.2 Asset Sensitivity/Criticality Classification
4.4.2.1 Approach 1: Find Asset Classification Information Elsewhere
4.4.2.2 Approach 2: Create Asset Classification Information
4.4.2.3 Approach 3: Determine Asset Criticality
4.4.3 Asset Valuation
4.4.3.1 Approach 1: Binary Asset Valuation
4.4.3.2 Approach 2: Classification-Based Asset Valuation
4.4.3.3 Approach 3: Rank-Based Asset Valuation
4.4.3.4 Approach 4: Consensus Asset Valuation
4.4.3.5 Approaches 5–7: Accounting Valuation Approaches
4.4.3.5.1 Approach 5: Cost Valuation
4.4.3.5.2 Approach 6: Market Valuation
4.4.3.5.3 Approach 7: Income Valuation
4.5 Identifying Threats
4.5.1 Threat Components
4.5.1.1 Threat Agent
4.5.1.2 Threat Action
4.5.1.3 Threat Agent and Threat Action Pairing
4.5.2 Threat Statements
4.5.3 Validating Threat Statements
4.5.3.1 Factors Affecting Threat Statement Validity
4.6 Determine Expected Controls
Exercises
Note
Bibliography
5 Data Gathering
5.1 Security Control Representation
5.1.1 Data Gathering on the Population
5.1.2 Data Gathering on a Sample
5.1.2.1 Determining Sample Size
5.1.2.2 Sampling Objectives
5.1.2.3 Sampling Types
5.1.3 Use of Sampling in Security Testing
5.1.3.1 Approach 1: Representative Testing
5.1.3.2 Approach 2: Selected Sampling
5.1.3.3 Approach 3: Random Sampling
5.2 Evidence Depth
5.3 The RIIOT Method of Data Gathering
5.3.1 RIIOT Method Benefits
5.3.2 RIIOT Method Approaches
5.3.2.1 Review Documents or Designs
5.3.2.1.1 The Importance of Security Documents
5.3.2.1.2 Documents to Request
5.3.2.1.3 Policy Review within Regulated Industries
5.3.2.1.4 RIIOT Document Review Technique
5.3.2.2 Interview Key Personnel
5.3.2.2.1 Selecting the Interviewer
5.3.2.2.2 Interview Requests
5.3.2.2.3 Preparing for the Interview
5.3.2.2.4 Conducting the Interview
5.3.2.2.5 Documenting the Interview
5.3.2.2.6 Flexibility in the Process
5.3.2.2.7 Questionnaire Preparation
5.3.2.3 Inspect Security Controls
5.3.2.4 Observe Personnel Behavior
5.3.2.4.1 Observation Guidance
5.3.2.5 Test Security Controls
5.3.2.5.1 Security Testing Documentation
5.3.2.5.2 Coverage of Testing
5.3.2.5.3 Types of Security Testing
5.3.2.5.3.1 Information Accuracy Testing
5.3.2.5.3.2 Vulnerability Testing
5.3.2.5.3.3 Penetration Testing
5.3.3 Using the RIIOT Method
5.3.3.1 Determining Appropriate RIIOT Approaches
5.3.3.2 Assigning RIIOT Activities
5.3.3.3 RIIOT Applied to Administrative, Physical, and Technical Controls
Exercises
Bibliography
6 Administrative Data Gathering
6.1 Administrative Threats and Safeguards
6.1.1 Human Resources
6.1.1.1 Human Resource Threats
6.1.1.2 Human Resource Safeguards
6.1.1.2.1 Recruitment
6.1.1.2.2 Employment
6.1.1.2.3 Termination
6.1.2 Organizational Structure
6.1.2.1 Organizational Structure Threats
6.1.2.2 Organizational Structure Safeguards
6.1.2.2.1 Senior Management
6.1.2.2.2 Security Program
6.1.2.2.3 Security Operations
6.1.2.2.4 Audit
6.1.3 Information Control
6.1.3.1 Information Control Threats
6.1.3.2 Information Control Safeguards
6.1.3.2.1 Sensitive Information
6.1.3.2.2 User Accounts
6.1.3.2.3 User Error
6.1.3.2.4 Asset Control
6.1.4 Business Continuity
6.1.4.1 Business Continuity Threats
6.1.4.2 Business Continuity Safeguards
6.1.4.2.1 Contingency Planning
6.1.4.2.2 Incident Response Program
6.1.5 System Security
6.1.5.1 System Security Threats
6.1.5.2 Organizational Structure Safeguards
6.1.5.2.1 System Controls
6.1.5.2.2 Application Security
6.1.5.2.3 Configuration Management
6.1.5.2.4 Third-Party Access
6.2 The RIIOT Method: Administrative Data Gathering
6.2.1 Determining Appropriate RIIOT Approaches for Administrative Controls
6.2.2 Review Documents Regarding Administrative Controls
6.2.2.1 Documents to Review
6.2.2.2 Review Documents for Clarity, Consistency, and Completeness
6.2.2.3 Review Documents for Expected Elements
6.2.2.3.1 Reviewing Information Security Policies
6.2.2.3.1.1 Senior Management Statement
6.2.2.3.1.2 Acceptable-Use Policy
6.2.2.3.1.3 Access Control Policy
6.2.2.3.1.4 Authentication and Account Management Policy
6.2.2.3.1.5 Backup and Restoration Policy
6.2.2.3.1.6 Cryptographic Control Policy
6.2.2.3.1.7 Data Classification, Handling and Retention Policy
6.2.2.3.1.8 Media Protection Policy
6.2.2.3.1.9 Mobile Device Policy
6.2.2.3.1.10 Physical Security/Environmental Controls Policy
6.2.2.3.1.11 Privacy Program Policy
6.2.2.3.1.12 Privacy—Web Privacy Notice
6.2.2.3.1.13 Systems and Communications Security Policy
6.2.2.4 Reviewing Information Security Plans, Processes, and Procedures
6.2.2.4.1.1 Business Contingency Plan
6.2.2.4.1.2 Change Control Procedures
6.2.2.4.1.3 Disaster Recovery Plan
6.2.2.4.1.4 Incident Response Plan
6.2.2.4.1.5 Information Security Program Procedures
6.2.2.4.1.6 Other Operational Procedures
6.2.2.4.1.7 Security Awareness and Training Program
6.2.2.4.1.8 Software Development Life Cycle Process
6.2.2.4.1.9 Termination Procedures
6.2.2.4.1.10 Vendor Security Risk Management Program
6.2.2.5 Security Work Product Review
6.2.3 Interview Personnel Regarding Administrative Controls
6.2.3.1 Administrative Interview Planning
6.2.3.2 Administrative Interview Topics
6.2.3.3 Administrative Interview Subjects
6.2.3.4 Administrative Interview Questions
6.2.3.4.1 Incident Response Interview Questions
6.2.3.4.2 Security Operations Interview Questions
6.2.3.4.3 Security Program Interview Questions
6.2.4 Inspect Administrative Security Controls
6.2.4.1 Inspection—Listing Administrative Security Controls
6.2.4.2 Inspection—Verify Information Gathered
6.2.4.3 Inspection—Determine Vulnerabilities
6.2.4.4 Inspection—Document and Review Findings
6.2.4.5 Inspection—The Security Organization
6.2.4.5.1 Organizational Structure
6.2.4.5.2 Budget and Resources
6.2.4.5.3 Roles and Responsibilities
6.2.5 Observe Administrative Behavior
6.2.6 Test Administrative Security Controls
6.2.6.1 Information Labeling Testing
6.2.6.2 Media Destruction Testing
6.2.6.2.1 Approach 1: TRASHINT
6.2.6.2.2 Approach 2: Sanitization Test
6.2.6.3 Account and Access Control Procedures Testing
6.2.6.3.1 Approach 1: Process Test
6.2.6.3.2 Approach 2: Process Audit—Sample
6.2.6.3.3 Approach 3: Process Audit—Complete
6.2.6.4 Outsourcing and Information Exchange
6.2.6.4.1 Outsourcing Review
6.2.6.4.1.1 Approach 1: Review Contracts
6.2.6.4.1.2 Approach 2: Review Available Assessments
6.2.6.4.1.3 Approach 3: Review Questionnaire Responses
Exercises
Bibliography
7 Technical Data Gathering
7.1 Technical Threats and Safeguards
7.1.1 Information Control
7.1.1.1 Information Control Threats
7.1.1.2 Information Control Safeguards
7.1.1.2.1 User Error
7.1.1.2.2 Sensitive and Critical Information
7.1.1.2.3 User Accounts
7.1.2 Business Continuity
7.1.2.1 Business Continuity Threats
7.1.2.2 Business Continuity Safeguards
7.1.2.2.1 Contingency Planning
7.1.2.2.2 Incident Response Program
7.1.3 System Security
7.1.3.1 System Security Threats
7.1.3.2 System Security Safeguards
7.1.3.2.1 System Controls
7.1.3.2.2 Application Security
7.1.3.2.3 Change Management
7.1.4 Secure Architecture
7.1.4.1 Secure Architecture Threats
7.1.4.2 Secure Architecture Safeguards
7.1.4.2.1 Topology
7.1.4.2.2 Transmission
7.1.4.2.3 Perimeter Network
7.1.5 Security Components
7.1.5.1 Security Component Threats
7.1.5.2 Security Component Safeguards
7.1.5.2.1 Access Control
7.1.5.2.2 Continuous Monitoring
7.1.6 Secure Configuration
7.1.6.1 Secure Configuration Threats
7.1.6.2 Secure Configuration Safeguards
7.1.6.2.1 System Settings
7.1.7 Data Security
7.1.7.1 Data Security Threats
7.1.7.2 Data Security Safeguards
7.1.7.2.1 Storage
7.1.7.2.2 Transit
7.2 The RIIOT Method: Technical Data Gathering
7.2.1 Determining Appropriate RIIOT Approaches for Technical Controls
7.2.2 Review Documents Regarding Technical Controls
7.2.2.1 Technical Documents to Request
7.2.2.2 Review Technical Documents for Information
7.2.2.3 Review Documents for Clarity, Consistency, and Completeness
7.2.2.4 Review Documents for Expected Elements
7.2.2.5 Reviewing System Information Documents
7.2.2.5.1 Network Diagram
7.2.2.6 Reviewing Previous Security Assessment Documents
7.2.2.6.1 Vulnerability Scan Report
7.2.2.6.2 Penetration Test Report
7.2.2.6.3 Security Risk Assessment Report
7.2.2.6.4 Information Technology/Security Audit Report
7.2.2.7 Reviewing Technical Manuals
7.2.2.8 Review Technical Security Designs
7.2.2.8.1 Determine Security Requirements
7.2.2.9 Basic Security Design Principles
7.2.2.9.1 Common Areas for Investigation
7.2.3 Interview Personnel Regarding Technical Controls
7.2.3.1 Technical Interview Topics
7.2.3.2 Technical Interview Subjects
7.2.3.3 Technical Interview Questions
7.2.3.3.1 Security Testing and Review Interview Questions
7.2.3.3.2 Security Components Interview Questions
7.2.3.3.3 Security Operations and Procedures Interview Questions
7.2.4 Inspect Technical Security Controls
7.2.4.1 List Technical Security Controls
7.2.4.2 Verify Information Gathered
7.2.4.2.1 Audit Logs
7.2.4.2.2 Identity Management System
7.2.4.2.3 Data Backup Technologies
7.2.4.2.4 Vulnerability Scanning Tools
7.2.4.2.5 Penetration Testing Tools
7.2.4.2.6 Patch Management System
7.2.4.2.7 Web and E-mail Filtering Tools
7.2.4.2.8 Configuration Management
7.2.4.2.9 Firewalls
7.2.4.2.10 Intrusion Detection Systems
7.2.4.2.11 System Hardening Guidance
7.2.4.2.12 Operating Systems and Applications
7.2.4.2.12.1 Sources of Checklists
7.2.4.2.12.2 Use of Checklists
7.2.4.3 Determine Vulnerabilities
7.2.4.4 Document and Review Findings
7.2.5 Observe Technical Personnel Behavior
7.2.6 Test Technical Security Controls
7.2.6.1 Monitoring Technology
7.2.6.2 Audit Logs
7.2.6.3 Anti-Virus Systems
7.2.6.4 Automated Password Policies
7.2.6.5 Virtual Private Network
7.2.6.6 Firewalls, IDS, and System Hardening
7.2.6.7 Vulnerability Scanning
7.2.6.7.1 Stages of Vulnerability Scanning
7.2.6.7.2 Vulnerability Scanning Tools
7.2.6.7.2.1 Network Mapping
7.2.6.7.2.2 Vulnerability Scanners
7.2.6.7.2.3 Virus and Pest Scanning
7.2.6.7.2.4 Application Scanners
7.2.6.8 Penetration Testing
7.2.6.9 Testing Specific Technology
7.2.6.9.1 Modem Access Testing
7.2.6.9.2 Wireless Network Testing
7.2.6.9.3 PBX Testing
7.2.6.9.4 VOIP Testing
Exercises
Notes
Bibliography
8 Physical Data Gathering
8.1 Physical Threats and Safeguards
8.1.1 Utilities and Interior Climate
8.1.1.1 Utility and Interior Climate Threats
8.1.1.2 Utility and Interior Climate Safeguards
8.1.1.2.1 Power Utility
8.1.1.2.1.1 Power Safeguards
8.1.1.2.2 Cooling Interior Climate
8.1.1.2.2.1 Cooling Safeguards
8.1.1.2.3 Humidity
8.1.1.2.3.1 Humidity Safeguards
8.1.2 Fire
8.1.2.1 Fire Threats
8.1.2.2 Fire Safeguards
8.1.2.2.1 Fire Prevention
8.1.2.2.1.1 Fire Prevention Safeguards
8.1.2.2.2 Fire Detection
8.1.2.2.2.1 Fire Detection Safeguards
8.1.2.2.3 Fire Alarm
8.1.2.2.3.1 Fire Alarm Safeguards
8.1.2.2.3.1.1 Fire Alarm Installation Types
8.1.2.2.4 Fire Suppression
8.1.2.3 Fire Suppression Safeguards
8.1.2.3.1 Stationary Suppression Systems
8.1.3 Flood and Water Damage
8.1.3.1 Flood and Water Threats
8.1.3.2 Flood and Water Safeguards
8.1.3.2.1 Flood and Water Exposure
8.1.3.2.1.1 Flood and Water Exposure Safeguards
8.1.3.2.2 Flood and Water Monitoring
8.1.3.2.2.1 Flood and Water Exposure Safeguards
8.1.3.2.3 Flood and Water Response
8.1.3.2.3.1 Flood and Water Response Safeguards
8.1.4 Other Natural Disasters
8.1.4.1 Other Natural Disaster Threats
8.1.4.2 Other Natural Disaster Safeguards
8.1.4.2.1 General Natural Disasters
8.1.4.2.1.1 Natural Disasters—General Protection Safeguards
8.1.4.2.2 Lightning
8.1.4.2.2.1 Lightning Safeguards
8.1.4.2.3 Earthquake
8.1.4.2.3.1 Earthquake Safeguards
8.1.4.2.4 Volcano
8.1.4.2.4.1 Volcano Safeguards
8.1.4.2.5 Hurricane
8.1.4.2.5.1 Hurricane Safeguards
8.1.5 Workforce
8.1.5.1 Workforce Threats
8.1.5.2 Workforce Safeguards
8.1.5.2.1 Personnel Screening
8.1.5.2.2 Personnel Termination
8.1.6 Perimeter Protections
8.1.6.1 Perimeter Protection Threats
8.1.6.2 Perimeter Protection Safeguards
8.1.6.2.1 Barriers
8.1.6.2.2 Lighting
8.1.6.2.3 Physical Intrusion Detection
8.1.6.2.3.1 Exterior Sensors
8.1.6.2.3.2 Interior Sensors
8.1.6.2.3.3 Video Surveillance Systems
8.1.6.2.3.3.1 Video Surveillance System Capabilities
8.1.6.2.4 Physical Access Control
8.1.6.2.4.1 Badges
8.1.6.2.4.2 Card Readers
8.1.6.2.4.3 Biometrics
8.1.6.2.4.4 Visitor Control
8.1.6.2.4.5 Property Removal Prevention
8.2 The RIIOT Method: Physical Data Gathering
8.2.1 Determining Appropriate RIIOT Approaches for Physical Controls
8.2.2 Review Documents Regarding Physical Controls
8.2.2.1 Physical Documents to Request
8.2.2.2 Review Physical Documents for Information
8.2.2.3 Review Documents for Currency and Capability
8.2.2.4 Review Documents for Expected Elements
8.2.2.5 Reviewing Physical Safeguard Information Documents
8.2.2.6 Reviewing Previous Physical Assessment Documents
8.2.2.7 Reviewing Building and Site Architecture Documents
8.2.2.8 Reviewing Procedures and Procedure Work Products
8.2.3 Interview Physical Personnel
8.2.3.1 Physical Security Interview Topics
8.2.3.2 Physical Security Interview Subjects
8.2.3.3 Physical Security Interview Questions
8.2.3.3.1 Utilities Interview Questions
8.2.3.3.2 Physical Security Procedures Interview Questions
8.2.4 Inspect Physical Security Controls
8.2.4.1 Listing Physical Security Controls
8.2.4.2 Verify Information Gathered
8.2.4.2.1 Logs, Records, and Audit Files
8.2.4.2.2 Perimeter Security
8.2.4.3 Determine Physical Vulnerabilities
8.2.4.4 Document and Review Physical Findings
8.2.5 Observe Physical Personnel Behavior
8.2.6 Test Physical Security Safeguards
8.2.6.1 Doors and Locks
8.2.6.2 Intrusion Detection
Exercises
Notes
Bibliography
9 Security Risk Analysis
9.1 Obtaining Measurement Data for Security Risk Analysis
9.2 Qualitative Security Risk Analysis Techniques
9.2.1 Qualitative Security Risk Analysis Advantages
9.2.2 Qualitative Security Risk Analysis Disadvantages
9.3 Quantitative Security Risk Analysis Techniques
9.3.1 Classic Quantitative Security Risk Assessment Formulas
9.3.2 Estimation
9.3.3 Probability Distributions
9.3.4 Monte Carlo Simulation
9.3.4.1 Ransomware Example—Monte Carlo Simulation
9.3.4.2 Building Monte Carlo Simulation Models
9.3.4.3 Quantitative Analysis Advantages
9.3.4.4 Quantitative Analysis Disadvantages
9.4 Summarizing Security Risk Analysis
9.4.1 Team Review of Security Risk Summary
9.4.2 Deriving Overall Security Risk
9.4.3 Prioritization of Security Risk
Exercises
Notes
Bibliography
10 Security Risk Analysis Worked Examples
10.1 RIIOT FRAME
10.1.1 RIIOT FRAME—Qualitative
10.1.1.1 Qualitative Threat Assessment: (Phase 1)
10.1.1.2 Qualitative Vulnerability Assessment: (Phases 2A and 2B)
10.1.1.2.1 The RIIOT FRAME for Qualitative Vulnerability Review Approach
10.1.1.3 Qualitative Threat Occurrence Likelihood
10.1.1.4 Qualitative Expected Impact
10.1.1.4.1 Qualitative Impact Assessment (Phase 3)
10.1.1.4.2 Qualitative Vulnerability Assessment: Detective and Corrective Controls (Phase 2B)
10.1.1.5 Qualitative Expected Impact
10.1.1.6 Qualitative Security Risk Calculation
10.1.2 RIIOT FRAME—Quantitative
10.1.2.1 Obtaining Quantitative Data
10.1.2.1.1 Direct Threat Frequency or Impact Data
10.1.2.1.2 Indirect Threat Frequency or Impact Data
10.1.2.2 Quantitative Threat Occurrence Likelihood (Phase 1 and 2A)
10.1.2.3 Quantitative Expected Impact: Phase 3 and 2B
10.1.2.4 Quantitative Security Risk Calculation
10.1.3 Qualitative and Quantitative Comparison
Exercises
Notes
11 Security Risk Mitigation
11.1 Defining Security Risk Appetite
11.2 Selecting Safeguards
11.2.1 Method 1: Missing Control Leads to Safeguard Selection
11.2.2 Method 2: People, Process, Technology
11.2.3 Method 3: The “Nine-Cell”
11.2.4 Method 4: Available Technology
11.3 Safeguard Solution Sets
11.3.1 Safeguard Cost Calculations
11.3.2 Safeguard Effectiveness
11.3.2.1 Justification through Judgment
11.3.2.2 Cost–Benefit Analysis
11.4 Establishing Security Risk Parameters
Exercises
Notes
12 Security Risk Assessment Reporting
12.1 Cautions in Reporting
12.2 Pointers in Reporting
12.3 Report Structure
12.3.1 Executive-Level Report
12.3.2 Base Report
12.3.3 Appendices and Exhibits
12.4 Document Review Methodology: Create the Report Using a Top-Down Approach
12.4.1 Document Specification
12.4.2 Draft
12.4.3 Final
12.5 Assessment Brief
12.6 Action Plan
Exercises
Bibliography
13 Security Risk Assessment Project Management
13.1 Project Planning
13.1.1 Project Definition
13.1.2 Project Planning Details
13.1.2.1 Project Phases and Activities
13.1.2.2 Phases and Activities Scheduling
13.1.2.3 Allocating Hours to Activities
13.1.3 Project Resources
13.1.3.1 Objectivity vs. Independence
13.1.3.2 Internal vs. External Team Members
13.1.3.3 Skills Required
13.1.3.3.1 Specific Security Risk Assessment Skills
13.1.3.3.2 Certifications
13.1.3.3.3 General Consulting Skills
13.1.3.3.3.1 Criticisms of Consultants
13.1.3.3.3.2 Overcoming Critics
13.1.3.3.3.3 Conflict of Interest
13.1.3.3.4 General Writing Skills
13.2 Project Tracking
13.2.1 Hours Tracking
13.2.1.1 Calendar Time Tracking
13.2.2 Project Progress Tracking
13.3 Taking Corrective Measures
13.3.1 Obtaining More Resources
13.3.2 Using Management Reserve
13.4 Project Status Reporting
13.4.1 Report Detail
13.4.2 Report Frequency
13.4.3 Status Report Content
13.5 Project Conclusion and Wrap-Up
13.5.1 Eliminating “Scope Creep”
13.5.2 Eliminating Project Run-On
Exercises
Notes
Bibliography
14 Security Risk Assessment Approaches
14.1 Security Risk Assessment Methods
14.1.1
14.1.2 OCTAVE
14.1.2.1 OCTAVE (Original)
14.1.2.2 OCTAVE-S
14.1.2.3 OCTAVE-Allegro
14.1.3 Information Security Assessment Methodology 2 (IRAM2)
14.1.4 Factor Analysis of Information Risk (FAIR): Basic Risk Assessment Guide (BRAG)
14.1.5 Factor Analysis of Information Risk (FAIR): Quantitative
14.1.6 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Qualitative
14.1.7 Review, Interview, Inspect, Observe, Test (RIIOT) Framework Risk Assessment Method: Example (FRAME)—Quantitative
14.2 Security Risk Assessment Frameworks
Exercises
Bibliography
Index
People also search for The Security Risk Assessment Handbook A Complete Guide for Performing Security Risk Assessments 3rd Edition:
what is a security risk assessment
security risk assessment example
types of security risk assessments
the security risk handbook
security risk assessment pdf
Tags:
Douglas Landoll,Security Risk Assessment,Performing Security,Risk Assessments